- Add documentation for safe_mode_gid and safe_mode_include_dir (closes #16691).

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@82981 c90b9560-bf6c-de11-be94-00142212c4b1
This commit is contained in:
Markus Fischer 2002-05-20 16:38:40 +00:00
parent ea30f704ff
commit 69cb80001d
2 changed files with 102 additions and 15 deletions

View file

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!-- $Revision: 1.52 $ -->
<!-- $Revision: 1.53 $ -->
<chapter id="configuration">
<title>Configuration</title>
@ -845,6 +845,21 @@ include_path=".;c:\www\phplib"
</listitem>
</varlistentry>
<varlistentry id="ini.safe-mode-gid">
<term>
<parameter>safe_mode_gid</parameter>
<type>boolean</type>
</term>
<listitem>
<para>
Whether to use <literal>UID</literal> (<literal>Off</literal>) or
<literal>GID</literal> (<literal>On</literal>) checking upon file
access. See <link linkend="features.safe-mode">Safe Mode</link> for
more information.
</para>
</listitem>
</varlistentry>
<varlistentry id="ini.safe-mode-exec-dir">
<term>
<parameter>safe_mode_exec_dir</parameter>
@ -858,6 +873,21 @@ include_path=".;c:\www\phplib"
</listitem>
</varlistentry>
<varlistentry id="ini.safe-mode-include--dir">
<term>
<parameter>safe_mode_include_dir</parameter>
<type>string</type>
</term>
<listitem>
<para>
<literal>UID</literal>/<literal>GID</literal> checks are bypassed when
including files from this directory and its subdirectories (directory
must also be in <link linkend="ini.include-path">include_path</link>
or full path must including).
</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>

View file

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!-- $Revision: 1.24 $ -->
<!-- $Revision: 1.25 $ -->
<chapter id="features.safe-mode">
<title>Safe Mode</title>
@ -11,19 +11,67 @@
especially ISP's, use safe mode for now.
</para>
<para>
The configuration directives that control safe mode are:
<programlisting role="ini">
<![CDATA[
safe_mode = Off
safe_mode_gid = 0
safe_mode_include_dir =
safe_mode_exec_dir =
open_basedir =
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
disable_functions =
]]>
</programlisting>
<table>
<title>Configuration directives controlling safe mode are:</title>
<tgroup cols="2">
<thead>
<row>
<entry>Directive</entry>
<entry>Default value</entry>
</row>
</thead>
<tbody>
<row>
<entry>
<link linkend="ini.safe-mode">safe_mode</link>
</entry>
<entry><literal>Off</literal></entry>
</row>
<row>
<entry>
<link linkend="ini.safe-mode-gid">safe_mode_gid</link>
</entry>
<entry><literal>0</literal></entry>
</row>
<row>
<entry>
<link linkend="ini.safe-mode-include-dir">safe_mode_include_dir</link>
</entry>
<entry><literal>""</literal></entry>
</row>
<row>
<entry>
<link linkend="ini.safe-mode-exec-dir">safe_mode_exec_dir</link>
</entry>
<entry><literal>1</literal></entry>
</row>
<row>
<entry>
<link linkend="ini.open-basedir">open_basedir</link>
</entry>
<entry><literal>""</literal></entry>
</row>
<row>
<entry>
<literal>safe_mode_allowed_env_vars</literal>
</entry>
<entry><literal>PHP_</literal></entry>
</row>
<row>
<entry>
<literal>safe_mode_protected_env_vars</literal>
</entry>
<entry><literal>LD_LIBRARY_PATH</literal></entry>
</row>
<row>
<entry>
<literal>disable_functions</literal>
</entry>
<entry><literal>""</literal></entry>
</row>
</tbody>
</tgroup>
</table>
</para>
<para>
When <link linkend="ini.safe-mode">safe_mode</link> is on, PHP checks to see
@ -51,6 +99,15 @@ allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2
]]>
</screen>
</para>
<para>
However, there may be environments where a strict <literal>UID</literal>
check is not appropriate and a relaxed <literal>GID</literal> check is
sufficient. This is supported by means of the <link
linkend="ini.safe-mode-gid">safe_mode_gid</link> switch. Setting it to
<literal>On</literal> performs the relaxed <literal>GID</literal> checking,
setting it to <literal>Off</literal> (the default) performs
<literal>UID</literal> checking.
</para>
<para>
If instead of <link linkend="ini.safe-mode">safe_mode</link>, you set an
<link linkend="ini.open-basedir">open_basedir</link> directory then all