Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 152722 - php-4.4.4-r6 incorrect behaviour in open_basedir()
Summary: php-4.4.4-r6 incorrect behaviour in open_basedir()
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Unspecified (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: PHP Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-10-24 17:23 UTC by lou
Modified: 2006-11-07 15:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description lou 2006-10-24 17:23:35 UTC 
Hello 

I upgraded dev-lang/php to php-4.4.4-r6 today, and noticed some problems with my applications. I was getting open_basedir() restriction warning on uploads.

PHP Warning:  Unknown(): open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/tmp/:/var/www/www.domain.com/htdocs/:/usr/lib/php:/usr/share/php) in Unknown on line 0, referer: http://www.domain.com/test.php

Now, my config has the following set for open_basedir:
php_admin_value open_basedir /tmp/:/var/www/www.domain.com/htdocs/:/usr/lib/php:/usr/share/php

The way I understand it, if there is a trailing slash, this means that it can not recursively go further into the directory. I wanted to restrict to just /tmp , so I added /tmp/. This use to work, but after upgrade this does not. It's saying that /tmp is not /tmp/. Changing my open_basedir value to use /tmp instead of /tmp/ fixed the problem, but not sure if this correct, and most importantly, I need to change all of my vhost configurations to allow /tmp now.

Here is a snip from the manual:
[snip]
The restriction specified with open_basedir is actually a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "open_basedir = /dir/incl/"
[/snip]

[ebuild   R   ] dev-lang/php-4.4.4-r6  USE="apache2 bzip2 cli crypt ctype curl expat ftp gd mhash mysql ncurses nls pcre readline session snmp sqlite ssl truetype unicode xml zlib -adabas -apache -bcmath -berkdb -birdstep -calendar -cdb -cgi -cjk -concurrentmodphp -db2 -dbase -dbmaker -dbx -debug -discard-path -doc -empress -empress-bcs -esoob -exif -fastbuild -fdftk -filepro -firebird -flatfile -force-cgi-redirect -frontbase -gd-external -gdbm -gmp -hardenedphp -hyperwave-api -iconv -imap -informix -inifile -interbase -iodbc -ipv6 -java-external -java-internal -kerberos -ldap -libedit -mcal -mcve -memlimit -ming -mnogosearch -msql -mssql -oci8 -oci8-instant-client -odbc -oracle7 -overload -ovrimos -pcntl -pfpro -pic -posix -postgres -recode -sapdb -sharedext -sharedmem -sockets -solid -spell -sybase -sybase-ct -sysvipc -threads -tokenizer -wddx -xmlrpc -xpm -xsl -yaz -zip" 0 kB

Portage 2.1.1 (default-linux/x86/2006.0, gcc-4.1.1, glibc-2.4-r3, 2.6.17-hardened-r1 i686)
=================================================================
System uname: 2.6.17-hardened-r1 i686 AMD Sempron(tm)   2600+
Gentoo Base System version 1.12.5
Last Sync: Tue, 24 Oct 2006 09:00:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-mcpu=athlon-xp -O3 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -mcpu=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS=""
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 alsa apache2 apm berkdb bzip2 cli cracklib crypt dlloader dri eds elibc_glibc emboss esd fortran gdbm gif gpm gstreamer imlib innodb input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jpeg kernel_linux libg++ libwww maildir mp3 mysql ncurses nptl nptlonly ogg openssh pam pcre perl php png pppd pwdb python qt3 qt4 readline reflection sasl session snmp snortsam spell spl ssl tcpd udev userland_GNU video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i740 video_cards_i810 video_cards_imstt video_cards_mga video_cards_neomagic video_cards_nsc video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo vorbis xml xorg zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS

Thank you!
Comment 1 Luca Longinotti (RETIRED) gentoo-dev 2006-10-25 09:16:53 UTC 
Hi. This was already reported to us but we couldn't reproduce it ourselves and the guy that reported it said he couldn't test what I think could be the possible fix... I hope you can test it, so we can know if this works or not...
Basically, there is a dev-lang/php-4.4.4-r8 ebuild in our PHP Overlay which contains an updated patch by the PHP devs, _maybe_ it fixes the issue, I can't be sure because no one that has it reported if it works then, so I hope you can do that. :P
To emerge that PHP version, just do the following:
emerge layman && layman -f && layman -a php-testing
this will add the PHP Overlay to your system in an easy way using the Layman software (overlays manager), then just update your dev-lang/php-4*, it should want to update to 4.4.4-r8, try it and tell us if it works then, thanks!
Best regards, CHTEKK.
Comment 2 lou 2006-10-29 06:38:06 UTC 
Hello

I saw that php-4.4.4-r8 is in portage, so I just emerged that. The same thing happens with r8 as with r6, r4 behaves correctly.
Comment 3 Luca Longinotti (RETIRED) gentoo-dev 2006-11-07 15:08:09 UTC 
The fix comes from PHP upstream and is officially included in PHP 5.2.0, it seems the new behaviour to fix an open_basedir issue is to now always check paths against open_basedir, so also your upload tmpdir needs to be included in your open_basedir setting now from PHP 5.2.0 onwards. The fix was backported to 5.1.6 and 4.4.4 here in Gentoo, so the same thing is valid for the latest releases of thoes two PHP versions on Gentoo. Please adapt your configurations to add the correct paths to open_basedir.
Best regards, CHTEKK.