On Mon, Jan 19, 2009 at 4:19 PM, Andrew Daviel <advax@xxxxxxxxx> wrote: > > I am not especially familiar with PHP, so it seemed like a good idea to > set "safe_mode = on" in /etc/php.ini - in case anything that was > installed by default bit me when I enabled the webserver, and it seems > like good practice. http://php.net/manual/en/features.safe-mode.php "The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now. Warning: Safe Mode was removed in PHP 6.0.0." > I was just trying to debug a SquirrelMail problem (the > recent 1.4.8-5.el4_7.2 update in CENTOS/RHEL is buggy) and tried to run > the installed version on my desktop to compare. > I got the error > Error opening /var/lib/squirrelmail/prefs/default_pref > Could not Create initial preference file! > /var/lib/squirrelmail/prefs/ should be writable by user apache > but it is : > drwx------ 2 apache apache 4096 Jan 19 15:17 /var/lib/squirrelmail/prefs/ > /var/lib/squirrelmail/prefs/default_pref -> ../../../../etc/squirrelmail/default_pref > -rw-r----- 1 root apache 83 Sep 2 16:46 /etc/squirrelmail/default_pref > > https://localhost/webmail/src/configtest.php says everything is fine, > though users can't change their timezone > > After a lot of messing around I found that, with PHP Safe Mode on, > file_exists() returns false if e.g. /var/lib/squirrelmail/prefs/foo.pref > belongs to apache, but true if it belongs to some other user, e.g. root. > > This seems totally bizarre to me - I would expect it to be the other way > around if anything. > > As I say, I don't know a lot about PHP. > > - Is safe_mode broken to the point of unusability ? > - If not, is there a way to get SquirrelMail to run with it on ? > - If so, perhaps configtest.php should flag it. (OK, 1.4.17 does) safe_mode is not broken that I know of but if you don't understand it, you are asking for trouble just blindly doing things like this. Please read: http://php.net/manual/ini.sect.safe-mode.php Note things like open_basedir and safe_mode_include_dir etc. http://php.net/manual/en/features.safe-mode.functions.php In your case, it looks like your SquirrelMail scripts are owned by root (may not be desirable). For example: "fopen() Checks whether the directory in which the script is operating has the same UID (owner) as the script that is being executed." SquirrelMail works under safe_mode, but you need to know what you are doing. > SquirrelMail version: 1.4.8-5.el5_2.2 > Config file version: 1.4.0 > PHP version 5.1.6 > Apache 2.2.3 > > -- > > In SquirrelMail 1.4.17-1.fc9, on a Fedora Core 9 machine > configtest.php does flag safe_mode, saying > "double check data and attachment directory ownership, etc!" > But I get the same error at login, and the same odd file_exists > behaviour. > ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
