PHP  
downloads | documentation | faq | getting help | | php.net sites | links 
search for in the  
lookup:
Manual do PHPManual do PHP
Caracter�sticasCaracter�sticas
 Error HandlingError Handling
 Creating and manipulating imagesCreating and manipulating images
 HTTP authentication with PHPHTTP authentication with PHP
 CookiesCookies
 Handling file uploadsHandling file uploads
 Using remote filesUsing remote files
 Connection handlingConnection handling
 Persistent Database ConnectionsPersistent Database Connections
 Safe ModeSafe Mode
 Usando o PHP na linha de comandoUsando o PHP na linha de comando
previousPersistent Database ConnectionsUsando o PHP na linha de comandonext
Last updated: Thu, 18 Jul 2002
view this page in Printer friendly version | English | Chinese | Czech | Dutch | Finnish | French | German | Hungarian | Italian | Japanese | Korean | Polish | Romanian | Russian | Spanish | Turkish

Cap�tulo 24. Safe Mode

�ndice
Functions restricted/disabled by safe mode

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now.

Tabela 24-1. Configuration directives controlling safe mode are:

DirectiveDefault value
safe_mode Off
safe_mode_gid 0
safe_mode_include_dir ""
safe_mode_exec_dir 1
open_basedir ""
safe_mode_allowed_env_vars PHP_
safe_mode_protected_env_vars LD_LIBRARY_PATH
disable_functions ""

When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function. For example: 

-rw-rw-r--    1 rasmus   rasmus       33 Jul  1 19:20 script.php 
-rw-r--r--    1 root     root       1116 May 26 18:01 /etc/passwd
Running this script.php 
<?php
 readfile('/etc/passwd'); 
?>
results in this error when safe mode is enabled: 
Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not 
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2

However, there may be environments where a strict UID check is not appropriate and a relaxed GID check is sufficient. This is supported by means of the safe_mode_gid switch. Setting it to On performs the relaxed GID checking, setting it to Off (the default) performs UID checking.

If instead of safe_mode, you set an open_basedir directory then all file operations will be limited to files under the specified directory For example (Apache httpd.conf example): 

<Directory /docroot>
  php_admin_value open_basedir /docroot 
</Directory>
If you run the same script.php with this open_basedir setting then this is the result: 
Warning: open_basedir restriction in effect. File is in wrong directory in 
/docroot/script.php on line 2

You can also disable individual functions. Note that the disable_functions directive can not be used outside of the php.ini file which means that you cannot disable functions on a per-virtualhost or per-directory basis in your httpd.conf file. If we add this to our php.ini file: 

disable_functions readfile,system
Then we get this output: 
Warning: readfile() has been disabled for security reasons in 
/docroot/script.php on line 2

Functions restricted/disabled by safe mode

This is a still probably incomplete and possibly incorrect listing of the functions limited by safe mode.

Tabela 24-2. Safe mode limited functions

FunctionLimitations
dbmopen()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado.
dbase_open()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado.
filepro()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado.
filepro_rowcount()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado.
filepro_retrieve()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado.
ifx_*()sql_safe_mode restrictions, (!= safe mode)
ingres_*()sql_safe_mode restrictions, (!= safe mode)
mysql_*()sql_safe_mode restrictions, (!= safe mode)
pg_loimport()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado.
posix_mkfifo()Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado.
putenv()Obeys the safe_mode_protected_env_vars and safe_mode_allowed_env_vars ini-directives. See also the documentation on putenv()
move_uploaded_file()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado.
chdir()Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado.
dl()Esta fun��o � desabilitada no safe-mode
backtick operatorEsta fun��o � desabilitada no safe-mode
shell_exec() (functional equivalent of backticks)Esta fun��o � desabilitada no safe-mode
exec()You can only execute executables within the safe_mode_exec_dir. For practical reasons it's currently not allowed to have .. components in the path to the executable.
system()You can only execute executables within the safe_mode_exec_dir. For practical reasons it's currently not allowed to have .. components in the path to the executable.
passthru()You can only execute executables within the safe_mode_exec_dir. For practical reasons it's currently not allowed to have .. components in the path to the executable.
popen()You can only execute executables within the safe_mode_exec_dir. For practical reasons it's currently not allowed to have .. components in the path to the executable.
mkdir()Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado.
rmdir()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado.
rename()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado. Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado.
unlink()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado. Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado.
copy()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado. Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado. (on source and target)
chgrp()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado.
chown()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado.
chmod()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado. In addition, you cannot set the SUID, SGID and sticky bits
touch()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado. Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado.
symlink()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado. Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado. (note: only the target is checked)
link()Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado. Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado. (note: only the target is checked)
getallheaders()In safe mode, headers beginning with 'authorization' (case-insensitive) will not be returned. Warning: this is broken with the aol-server implementation of getallheaders()!
header()In safe mode, the uid of the script is added to the realm part of the WWW-Authenticate header if you set this header (used for HTTP Authentication).
highlight_file(), show_source() Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado. Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado. (note: only affected since PHP 4.2.1)
parse_ini_file() Verifica se o(s) arquivo(s) e/ou diret�rio(s) que ser�o afetados por esta opera��o tem o mesmo UID do script que est� sendo executado. Verifica se o diret�rio que ser� afetado por esta opera��o tem o mesmo UID do scritp qu est� sendo executado. (note: only affected since PHP 4.2.1)
Any function that uses php4/main/fopen_wrappers.c ??

User Contributed Notes
Safe Mode		 add a note about notes
Marc Delisle
16-Jul-2001 09:49		 
include() and require() are also limited by safe mode.

08-Sep-2001 01:17		 
Many filesystem-related functions are not appropriately restricted when
Safe Mode is activated on an NT server it seems.  I would assume that this
is due to the filesystem not making use of UID.

In all of my scripts, no matter WHO owns the script (file Ownership-wise)
or WHO owns the directory/file in question; both UIDs display

(getmyuid() and fileowner()) as UID = 0

This has the rather nasty side effect of Safe Mode allowing multiple
filesystem operations because it believes the script owner and file/dir
owner are one and the same.

While this can be worked around by the judicious application of proper
filesystem privileges, it's still a "dud" that many of Safe
Mode's securities are simply not there with an NT implementation.
phobo#paradise.net.nz
03-Oct-2001 01:21		 
If you do virutal hosting, you can turn safe mode on and off for different
Apache Virutal Hosts using the php_admin_value directive. This also allows
you to have customised maximum execution times, disabled functions, etc.
By placeing a base_dir for each virutal host, this means PHP CANNOT access
files below this heirachy; strongly recoomended for cutsomer hosting.

Eg:

[VirtualHost 127.0.0.1:80]
   DocumentRoot /var/www/html/safephphost/
   ServerName safephp
   php_admin_value safe_mode 1
   php_admin_value open_basedir /var/www/html/safephphost/
   php_admin_value sendmail_from phobo#paradise.net.nz
[/VirtualHost]

24-Jan-2002 10:45		 
Just to note, I created patch which allows VirtualHost to set User under
which all (PHP too) runs. It is more secure than safe_mode. See
luxik.cdi.cz/~devik/apache/ if you are interested

28-Apr-2002 02:42		 
All the filesystem-related functions (unlink, fopen, unlink, etc) seems to
be restricted the same way in safe mode, at least on PHP 4.2. If the file
UID is different *but* the directory (where the file is located) UID is
the same, it will work.

So creating a directory in safe mode is usually a bad idea since the UID
will be different from the script (it will be the apache UID) so it won't
be possible to do anything with the files created on this directory.

01-Jun-2002 11:11		 
This is just a reply to phobo#paradise.net.nz about the virtual server. 
This no longer works on apache, if you do try you will get:
Syntax error on line 1118 of /usr/www/conf/httpd.conf:
php_admin_value not allowed here

13-Jun-2002 09:37		 
You can a vhost.conf file.

<Directory /vhosts/domain.com/httpdocs/> 
php_admin_value safe_mode 0
php_admin_value open_basedir "/"
</Directory>
19-Jun-2002 08:44 
disable_functions must use "=" operator to assign value. Please
correct exemple.

07-Jul-2002 06:51		 
[email protected] wrote in his comment of  02-Oct-2001 07:21: "By
placeing a base_dir for each virutal host, this means PHP CANNOT access
files below this heirachy"

"below" or "above" is obviously a matter of
visualization. The way I understand open_basedir is if you add an
open_basedir clause as in the example provided, php is ONLY able to access
files under the /var/www/html/safephphost/ directory. In other words php
will not be able to access /var/www/html/anotherfile but will be able to
access /var/www/html/safephphost/somefile.

Also - if  I understand correctly you do not need "safe_mode on"
when you have an open_basedir clause. (ref: 
"If instead of safe_mode, you set an open_basedir directory then all
file operations will be limited to files under the specified
directory")
iam4webwork at hotmail dot com
11-Jul-2002 04:59		 
Had to run ImageJPEG() and ImagePNG() out of safe mode in order to finally
get them to work.  My site is on a machine that uses Linux, PHP 4.1.2, GD
1.6.2 and employs safe mode. To get out of safe mode, had to name the 
script with a .cgi extension and insert  #!/usr/bin/php line at top of
script.

19-Jul-2002 07:33		 
open_basedir only restricts file operations to files and directories under
a specified directory, but you can still user system ("vi
/home/somedir/somefile"), so safe_mode still has a place here as it
is much more restrictive then open_basedir.

Also, to reply to someone who said that 'above' and 'below' was a matter
of perspective, sure it is. Of course, a file is not under another one,
etc, it just pointed by some inode. But in the common language we consider
the root (/) to be above everything else, and /home is below root, and
/home/myfile is below /home. There is no written standard, but most people
(those I know anyway) agree on that syntax.
add a note about notes
previousPersistent Database ConnectionsUsando o PHP na linha de comandonext
Last updated: Thu, 18 Jul 2002
show source | credits | stats | mirror sites:  
Copyright © 2001, 2002 The PHP Group
All rights reserved.		 This mirror generously provided by:
Last updated: Sat Jul 20 20:16:23 2002 CEST