mirror of
https://github.com/sigmasternchen/php-doc-en
synced 2025-03-17 01:18:55 +00:00
6ae3b9dba5
Syntax for vim < 6 is set to sgml, because xml is not recognizing tag-names. This was discussed before, and this turned out to be best for all vi(m) versions. git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@57993 c90b9560-bf6c-de11-be94-00142212c4b1
283 lines
9.8 KiB
XML
283 lines
9.8 KiB
XML
<?xml encoding="iso-8859-1"?>
|
|
<!-- $Revision: 1.13 $ -->
|
|
<chapter id="features.safe-mode">
|
|
<title>Safe Mode</title>
|
|
|
|
<para>
|
|
Safe Mode is an attempt to solve the shared-server security problem. It is
|
|
architecturally incorrect to try to solve this problem at the PHP level,
|
|
but since the alternatives at the web server and OS levels aren't very
|
|
realistic, many people, especially ISP's, use Safe Mode for now.
|
|
</para>
|
|
<para>
|
|
The configuration directives that control Safe Mode are:
|
|
<programlisting role="ini">
|
|
safe_mode = Off
|
|
open_basedir =
|
|
safe_mode_exec_dir =
|
|
safe_mode_allowed_env_vars = PHP_
|
|
safe_mode_protected_env_vars = LD_LIBRARY_PATH
|
|
disable_functions =
|
|
</programlisting>
|
|
</para>
|
|
<para>
|
|
When <link linkend="ini.safe-mode">safe_mode</link> is on, PHP checks to see
|
|
if the owner of the current script matches the owner of the file to be
|
|
operated on by a file function. For example:
|
|
<programlisting role="ls">
|
|
-rw-rw-r-- 1 rasmus rasmus 33 Jul 1 19:20 script.php
|
|
-rw-r--r-- 1 root root 1116 May 26 18:01 /etc/passwd
|
|
</programlisting>
|
|
Running this script.php
|
|
<programlisting role="php">
|
|
<?php
|
|
readfile('/etc/passwd');
|
|
?>
|
|
</programlisting>
|
|
results in this error when Safe Mode is enabled:
|
|
<programlisting role="php">
|
|
Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
|
|
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2
|
|
</programlisting>
|
|
</para>
|
|
<para>
|
|
If instead of <link linkend="ini.safe-mode">safe_mode</link>, you set an
|
|
open_basedir directory then all file operations will be limited to files
|
|
under the specified directory. For example (Apache httpd.conf example):
|
|
<programlisting role="ini">
|
|
<Directory /docroot>
|
|
php_admin_value open_basedir /docroot
|
|
</Directory>
|
|
</programlisting>
|
|
If you run the same script.php with this open_basedir setting then this is
|
|
the result:
|
|
<programlisting role="php">
|
|
Warning: open_basedir restriction in effect. File is in wrong directory in
|
|
/docroot/script.php on line 2
|
|
</programlisting>
|
|
</para>
|
|
<para>
|
|
You can also disable individual functions. If we add this to our php.ini
|
|
file:
|
|
<programlisting role="ini">
|
|
disable_functions readfile,system
|
|
</programlisting>
|
|
Then we get this output:
|
|
<programlisting role="php">
|
|
Warning: readfile() has been disabled for security reasons in
|
|
/docroot/script.php on line 2
|
|
</programlisting>
|
|
</para>
|
|
|
|
<sect1 id="features.safe-mode.functions">
|
|
<title>Functions restricted/disabled by Safe Mode</title>
|
|
<para>
|
|
This is a still probably incomplete and possibly incorrect listing
|
|
of the functions limited by
|
|
<link linkend="features.safe-mode">Safe Mode</link>.
|
|
<!-- TODO: add ¬e.sm.*; to the functions mentioned here.
|
|
That entity should link to this section -->
|
|
<table>
|
|
<title>Safe Mode limited functions</title>
|
|
<tgroup cols="2">
|
|
<thead>
|
|
<row>
|
|
<entry>Function</entry>
|
|
<entry>Limitations</entry>
|
|
</row>
|
|
</thead>
|
|
<tbody>
|
|
<row>
|
|
<entry><function>dbmopen</function></entry>
|
|
<entry>&sm.uidcheck;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>dbase_open</function></entry>
|
|
<entry>&sm.uidcheck;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>filepro</function></entry>
|
|
<entry>&sm.uidcheck;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>filepro_rowcount</function></entry>
|
|
<entry>&sm.uidcheck;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>filepro_retrieve</function></entry>
|
|
<entry>&sm.uidcheck;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>ifx_*</function></entry>
|
|
<entry>sql_safe_mode restrictions, (!= Safe Mode)</entry>
|
|
<!-- TODO: more info on sql-safe-mode -->
|
|
</row>
|
|
<row>
|
|
<entry><function>ingres_*</function></entry>
|
|
<entry>sql_safe_mode restrictions, (!= Safe Mode)</entry>
|
|
<!-- TODO: more info on sql-safe-mode -->
|
|
</row>
|
|
<row>
|
|
<entry><function>mysql_*</function></entry>
|
|
<entry>sql_safe_mode restrictions, (!= Safe Mode)</entry>
|
|
<!-- TODO: more info on sql-safe-mode -->
|
|
</row>
|
|
<row>
|
|
<entry><function>pg_loimport</function></entry>
|
|
<entry>&sm.uidcheck;</entry>
|
|
<!-- source TODO: there is no PHP-warning for that safe-mode-restriction -->
|
|
</row>
|
|
<row>
|
|
<entry><function>posix_mkfifo</function></entry>
|
|
<entry>&sm.uidcheck.dir;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>putenv</function></entry>
|
|
<entry>Obeys the safe_mode_protected_env_vars and
|
|
safe_mode_allowed_env_vars ini-directives. See also the documentation
|
|
on <function>putenv</function></entry>
|
|
<!-- TODO: document those directives in chapters/config.xml -->
|
|
</row>
|
|
<row>
|
|
<entry><function>move_uploaded_file</function></entry>
|
|
<entry>&sm.uidcheck; <!-- TODO: check this --></entry>
|
|
</row>
|
|
|
|
<!-- TODO: from here on, add warning to the function itself -->
|
|
|
|
<row>
|
|
<entry><function>chdir</function></entry>
|
|
<entry>&sm.uidcheck.dir;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>dl</function></entry>
|
|
<entry>&sm.disabled;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><link linkend="language.operators.execution">backtick operator</link></entry>
|
|
<entry>&sm.disabled;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>shell_exec</function> (functional equivalent
|
|
of backticks)</entry>
|
|
<entry>&sm.disabled;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>exec</function></entry>
|
|
<entry>You can only execute executables within the <link
|
|
linkend="ini.safe-mode-exec-dir">safe_mode_exec_dir</link>.
|
|
For practical reasons it's currently not allowed to have
|
|
<literal>..</literal> components in the path to the executable.</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>system</function></entry>
|
|
<entry>You can only execute executables within the <link
|
|
linkend="ini.safe-mode-exec-dir">safe_mode_exec_dir</link>.
|
|
For practical reasons it's currently not allowed to have
|
|
<literal>..</literal> components in the path to the executable.</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>passthru</function></entry>
|
|
<entry>You can only execute executables within the <link
|
|
linkend="ini.safe-mode-exec-dir">safe_mode_exec_dir</link>.
|
|
For practical reasons it's currently not allowed to have
|
|
<literal>..</literal> components in the path to the executable.</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>popen</function></entry>
|
|
<entry>You can only execute executables within the <link
|
|
linkend="ini.safe-mode-exec-dir">safe_mode_exec_dir</link>.
|
|
For practical reasons it's currently not allowed to have
|
|
<literal>..</literal> components in the path to the executable.</entry>
|
|
<!-- TODO: not sure. popen uses a completely different implementation
|
|
Don't know why, don't know whether it's behaving the same -->
|
|
</row>
|
|
<row>
|
|
<entry><function>mkdir</function></entry>
|
|
<entry>&sm.uidcheck.dir;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>rmdir</function></entry>
|
|
<entry>&sm.uidcheck;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>rename</function></entry>
|
|
<entry>&sm.uidcheck; &sm.uidcheck.dir;<!-- on the old name only, it seems. Is rename preventing moving files? --></entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>unlink</function></entry>
|
|
<entry>&sm.uidcheck; &sm.uidcheck.dir;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>copy</function></entry>
|
|
<entry>&sm.uidcheck; &sm.uidcheck.dir; (on
|
|
<parameter>source</parameter> and
|
|
<parameter>target</parameter>) </entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>chgrp</function></entry>
|
|
<entry>&sm.uidcheck;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>chown</function></entry>
|
|
<entry>&sm.uidcheck;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>chmod</function></entry>
|
|
<entry>&sm.uidcheck; In addition, you cannot
|
|
set the SUID, SGID and sticky bits</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>touch</function></entry>
|
|
<entry>&sm.uidcheck; &sm.uidcheck.dir;</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>symlink</function></entry>
|
|
<entry>&sm.uidcheck; &sm.uidcheck.dir; (note: only the target is
|
|
checked)</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>link</function></entry>
|
|
<entry>&sm.uidcheck; &sm.uidcheck.dir; (note: only the target is
|
|
checked)</entry>
|
|
</row>
|
|
<row>
|
|
<entry><function>getallheaders</function></entry>
|
|
<entry>In Safe Mode, headers beginning with 'authorization'
|
|
(case-insensitive)
|
|
will not be returned. Warning: this is broken with the aol-server
|
|
implementation of <function>getallheaders</function>!</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Any function that uses
|
|
<filename>php4/main/fopen_wrappers.c</filename>
|
|
</entry>
|
|
<entry>??</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</para>
|
|
</sect1>
|
|
|
|
</chapter>
|
|
|
|
<!-- Keep this comment at the end of the file
|
|
Local variables:
|
|
mode: sgml
|
|
sgml-omittag:t
|
|
sgml-shorttag:t
|
|
sgml-minimize-attributes:nil
|
|
sgml-always-quote-attributes:t
|
|
sgml-indent-step:1
|
|
sgml-indent-data:t
|
|
sgml-parent-document:nil
|
|
sgml-default-dtd-file:"../../manual.ced"
|
|
sgml-exposed-tags:nil
|
|
sgml-local-catalogs:nil
|
|
sgml-local-ecat-files:nil
|
|
End:
|
|
vim600: syn=xml fen fdm=syntax fdl=2 si
|
|
vim: et tw=78 syn=sgml
|
|
vi: ts=1 sw=1
|
|
-->
|