Is php safe mode run as cgi a little too safe, or perhaps not safe enough?
Anyway, when run under cgiwrap (http://cgiwrap.unixtools.org/), it behaves in a sort of inconsistent way. Consider the following script owned by root (uid 0) in a cgi enabled directory:
---runphp.cgi-------------------------------
#!/usr/local/bin/php
Testing phprun.cgi for <b>
<?
echo "$user";
?>
</b><p>writing index.php ...
<?
$f = fopen("/www/$user/index.php","w");
if ($f) {
echo "success.\n";
fputs($f,"file written by $user\n");
fclose($f);
} else {
echo "failure.\n";
}
?>
<p>reading index.php ...
<?
$f = fopen("/www/$user/index.php","r");
if ($f) {
echo "success.\n";
$content = fgets($f);
fclose($f);
echo "<br>content: $content<br>";
} else {
echo "failure.\n";
}
?>
When invoked under cgiwrap, the effective uid of the running process becomes that of $user. In the absence of /www/dran/index.php, with
$user=dran (uid=502), it succeeds in creation of the file:
-rw-r--r-- 1 dran hermes 21 Aug 30 08:14 /www/dran/index.php
But it fails in reading the file back. This is what it produced in a browser window:
--- first run - no index.php in /www/dran --
Testing phprun.cgi for dran
writing index.php ... success.
reading index.php ...
Warning: SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to access /www/dran/index.php owned by uid 502 in /home/dran//E/runphp.cgi on line 19
Warning: fopen("/www/dran/index.php","r") - No such file or directory in /home/dran//E/runphp.cgi on line 19
failure.
When run for the second time:
--- second run - after index.php has been created -----------------
Testing phprun.cgi for dran
writing index.php ...
Warning: SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to access /www/dran/index.php owned by uid 502 in /home/dran//E/runphp.cgi on line 8
Warning: fopen("/www/dran/index.php","w") - Inappropriate ioctl for device in /home/dran//E/runphp.cgi on line 8
failure.
reading index.php ...
Warning: SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to access /www/dran/index.php owned by uid 502 in /home/dran//E/runphp.cgi on line 19
Warning: fopen("/www/dran/index.php","r") - Inappropriate ioctl for device in /home/dran//E/runphp.cgi on line 19
failure.
In conclusion, the user dran is able to create files, but not to read them, or rewrite them, even in the same php script under cgiwrap.
I guess php in safe mode checks uid of the script file rather than uid of the running process to be compared with uid of the file which the script is about to operate on. If, however, the script creates a new file, its owner is defined to be the uid of the running process, without any complaints from php safe mode. Therefore, the file created by the script, is never accessible to the very script. Isn't it bemusing?
I think it would be better if php safe compared uid of the running process rather than uid of the script, to the uid of the file on which the process operates. Wouldn't it?
--
Jack
