owlcroft
06-02-2004, 12:46 AM
There are, as I see it, four states or situations that affect the usability of PHP, and they are a two-by-two matrix of these things:
1. Is PHP run through a cgi wrapper? (Yes/No)
2. Is "Safe Mode" on? (Yes/No)
Three of the four cases are, I think, handled without much difficulty. The real problem seems to be cgi wrappers not enabled while yet "Safe Mode" is On.
(While one could argue that any host who locks PHP "Safe Mode" On without providing access to a cgi wrapper for PHP deserves to be abandoned, the fact remains that some users will have such a host and will not just jump up and change hosts. So what to do in such cases for PHP scripts that need to make new directories and read and write files in them?)
PHP in such instances is user "nobody" (or "www"). "Safe Mode" goes beyond mere permissions to look at the User ID of the file or directory and that of the "user". I have seen hideous kludges using ftp processes to make directories so that their "owner" is PHP, but that seems ludicrous.
I have an idea, but it turns on the exact meaning of the sentence in the online PHP Manual that says:
When safe mode is enabled, PHP checks whether the directory in which you are about to operate has the same UID (owner) as the script that is being executed.
If that statement is exactly correct, it would mean that I could upload a PHP script to the root of a site (one I own) and have that script make a subdirectory off the root which subdirectory would be "owned" by PHP, not me. That would be because: 1) I own the root directory; 2) I "own" the PHP script, because I uploaded it; 3) the script can make the subdirectory because "the directory in which you are about to operate has the same UID (owner) as the script that is being executed"; and 4) because PHP (or "nobody" or "www") is the maker of the directory, other PHP scripts would have whatever rights in the directory I had assigned to "owner" at the time of creation from within the script..
But--if the statement in the manual is simply a sloppy rendition of "PHP checks whether the directory in which you are about to operate has the same UID (owner) as the user attempting the script execution", the thing would fail.
Does anyone know for sure?
1. Is PHP run through a cgi wrapper? (Yes/No)
2. Is "Safe Mode" on? (Yes/No)
Three of the four cases are, I think, handled without much difficulty. The real problem seems to be cgi wrappers not enabled while yet "Safe Mode" is On.
(While one could argue that any host who locks PHP "Safe Mode" On without providing access to a cgi wrapper for PHP deserves to be abandoned, the fact remains that some users will have such a host and will not just jump up and change hosts. So what to do in such cases for PHP scripts that need to make new directories and read and write files in them?)
PHP in such instances is user "nobody" (or "www"). "Safe Mode" goes beyond mere permissions to look at the User ID of the file or directory and that of the "user". I have seen hideous kludges using ftp processes to make directories so that their "owner" is PHP, but that seems ludicrous.
I have an idea, but it turns on the exact meaning of the sentence in the online PHP Manual that says:
When safe mode is enabled, PHP checks whether the directory in which you are about to operate has the same UID (owner) as the script that is being executed.
If that statement is exactly correct, it would mean that I could upload a PHP script to the root of a site (one I own) and have that script make a subdirectory off the root which subdirectory would be "owned" by PHP, not me. That would be because: 1) I own the root directory; 2) I "own" the PHP script, because I uploaded it; 3) the script can make the subdirectory because "the directory in which you are about to operate has the same UID (owner) as the script that is being executed"; and 4) because PHP (or "nobody" or "www") is the maker of the directory, other PHP scripts would have whatever rights in the directory I had assigned to "owner" at the time of creation from within the script..
But--if the statement in the manual is simply a sloppy rendition of "PHP checks whether the directory in which you are about to operate has the same UID (owner) as the user attempting the script execution", the thing would fail.
Does anyone know for sure?