I've got safe_mode set up, bu it's not doing what I thought it would. I want scripts owned by user X to be able to modify files that are owned by and only writable by user X. Then, if user Y telnets in, he can't mess with user X's PHP-created files.
Is safe_mode supposed to do this? That is to say, can a PHP script owned by X read and write files as X, or are the files read and written as user www (the UID of Apache)?
PHP script testing.php has UID gkj and GID gkj. It's in /home/www/gkj. It contains this code:
touch("testing.txt");
Also in the directory is a file testing.txt. It's chomod-ed to 755 and it has UID gkj and GID gkj. The directory (/home/www/gkj) has the same permissions and ownership.
When testing.php runs it produces this output:
Warning: utime failed: Permission denied in /home/www/gkj/testing.php on line 1
Apache's httpd.conf is set up with this VirtualHost:
<VirtualHost 192.168.0.1:81>
ServerName 192.168.0.1:81
DocumentRoot /home/www/gkj
User gkj
Group gkj
php_admin_flag safe_mode on
</VirtualHost>
My first reaction was to think that safe_mode was not working. However, when I change the testing.php code to try getting at another user's file, /home/www/karen/testing.txt, so that the code was this:
touch("../karen/2testing.txt");
I get this error:
Warning: SAFE MODE Restriction in effect. The script whose uid is 1000 is not allowed to access ../karen/testing.txt owned by uid 1007 in /home/www/gkj/testing.php on line 1
When I chown /home/www/gkj/testing.txt to UID www and GID www, the original code works error free. But as I said, this is not what I thought the functionality of safe_mode was.
-- Boggled, in Maryland
