I'm running PHP 4.1.2 as an Apache module (Apache 1.3.24) under AIX 4.3.3.
My problem has been covered in Bug #13447 but I still have it and the bug
was under Windows 2000 but I'm running AIX. It's a security
problem with "unlink". My site runs as the user "web" but different parts of
my site are modified by different developpers. Since all
files are owned by "web", I set up an open_basedir so each developper is
limited to make file operations on his directory-tree. My
problem is that this setup does not prevent unlinking, which means that one
can delete files that are not under his directory-tree, and
I do not want that. With the following setup, fopen and include are
restricted by openbasedir, which is good. But one can unlink a file
even if it's not under his directory-tree. I have the following in
httpd.conf:
<Directory "/u/uq/web/www.uqtr.ca/">
Options Indexes Includes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
<IfModule mod_php4.c>
AddType application/x-httpd-php .php
php_flag engine on
php_admin_value safe_mode 1
php_admin_value safe_mode_exec_dir "/u/uq/web/www.uqtr.ca/"
php_admin_value doc_root "/u/uq/web/www.uqtr.ca/"
php_admin_value open_basedir "/u/uq/web/www.uqtr.ca/"
php_admin_value user_dir "/u/uq/web/www.uqtr.ca/"
</IfModule>
</Directory>
The file testerase.php is in /u/uq/web/www.uqtr.ca and contains this:
<?php
include ('/u/uq/web/entete.uqtr.ca/file_to_include'); // THE INCLUDE DOES NOT WORK:
IT'S RESTRICTED BY OPEN_BASEDIR AND I'M GLAD
unlink ('/u/uq/web/entete.uqtr.ca/file_to_delete'); // THE UNLINK WORKS: NO
RESTRICTION AT ALL AND I'M UNHAPPY
?>
I need help. Is it possible to bypass file deletion permission and restrict
the directories in which to unlink?
Thanks,
Patrick
[EMAIL PROTECTED]
