Re: Squirrelmail and PHP Safe Mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 19, 2009 at 4:19 PM, Andrew Daviel <advax@xxxxxxxxx> wrote:
>
> I am not especially familiar with PHP, so it seemed like a good idea to
> set "safe_mode = on" in /etc/php.ini - in case anything that was
> installed by default bit me when I enabled the webserver, and it seems
> like good practice.

http://php.net/manual/en/features.safe-mode.php

"The PHP safe mode is an attempt to solve the shared-server security
problem. It is architecturally incorrect to try to solve this problem
at the PHP level, but since the alternatives at the web server and OS
levels aren't very realistic, many people, especially ISP's, use safe
mode for now.
Warning: Safe Mode was removed in PHP 6.0.0."

> I was just trying to debug a SquirrelMail problem (the
> recent 1.4.8-5.el4_7.2 update in CENTOS/RHEL is buggy) and tried to run
> the installed version on my desktop to compare.
> I got the error
>   Error opening /var/lib/squirrelmail/prefs/default_pref
>   Could not Create initial preference file!
>   /var/lib/squirrelmail/prefs/ should be writable by user apache
> but it is :
>   drwx------ 2 apache apache 4096 Jan 19 15:17 /var/lib/squirrelmail/prefs/
>   /var/lib/squirrelmail/prefs/default_pref -> ../../../../etc/squirrelmail/default_pref
>   -rw-r----- 1 root apache 83 Sep  2 16:46 /etc/squirrelmail/default_pref
>
> https://localhost/webmail/src/configtest.php says everything is fine,
> though users can't change their timezone
>
> After a lot of messing around I found that, with PHP Safe Mode on,
> file_exists() returns false if e.g. /var/lib/squirrelmail/prefs/foo.pref
> belongs to apache, but true if it belongs to some other user, e.g. root.
>
> This seems totally bizarre to me - I would expect it to be the other way
> around if anything.
>
> As I say, I don't know a lot about PHP.
>
> - Is safe_mode broken to the point of unusability ?
> - If not, is there a way to get SquirrelMail to run with it on ?
> - If so, perhaps configtest.php should flag it. (OK, 1.4.17 does)

safe_mode is not broken that I know of but if you don't understand it,
you are asking for trouble just blindly doing things like this.
Please read:

http://php.net/manual/ini.sect.safe-mode.php

Note things like open_basedir and safe_mode_include_dir etc.

http://php.net/manual/en/features.safe-mode.functions.php

In your case, it looks like your SquirrelMail scripts are owned by
root (may not be desirable).  For example:

"fopen()  	Checks whether the directory in which the script is
operating has the same UID (owner) as the script that is being
executed."

SquirrelMail works under safe_mode, but you need to know what you are doing.

> SquirrelMail version:   1.4.8-5.el5_2.2
> Config file version:    1.4.0
> PHP version 5.1.6
> Apache 2.2.3
>
>   --
>
> In SquirrelMail 1.4.17-1.fc9,  on a Fedora Core 9 machine
> configtest.php does flag safe_mode, saying
> "double check data and attachment directory ownership, etc!"
> But I get the same error at login, and the same odd file_exists
> behaviour.
>

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux