187374 – safe_mode = on and session_start() in php-5.2.3-r3

Bug 187374 - safe_mode = on and session_start() in php-5.2.3-r3

Summary: safe_mode = on and session_start() in php-5.2.3-r3

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	PHP Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-08-01 12:41 UTC by Jonas Pedersen
Modified:	2007-08-10 14:46 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jonas Pedersen 2007-08-01 12:41:56 UTC

After upgrading to php-5.2.3-r3 my php applications that uses sessions have started to fail. The only change I have done to php.ini is to turn safe_mode = on. The problems occurs when session_start() is called. When session_start() is called I get below error. It complains about not being able to create session file in /tmp. I first opened bug #42150 at bugs.php.net (http://bugs.php.net/bug.php?id=42150). Apparently this change is for php-5.2.4 and as I understand it from the PHP bug it is still under review and may not even be included/behavior might change. Not sure if it is intended by Gentoo people to include this one in 5.2.3-r3, but I am pretty sure it will break the setup for many people running Gentoo with PHP and Apache. From what I see this is not related to bug #187120. 

Warning: session_start() [function.session-start]: SAFE MODE Restriction in effect. The script whose uid is 81 is not allowed to access /tmp owned by uid 0 in /var/www/localhost/htdocs/test.php on line 2

Fatal error: session_start() [<a href='function.session-start'>function.session-start</a>]: Failed to initialize storage module: files (path: ) in /var/www/localhost/htdocs/test.php on line 2


dev-lang/php-5.2.3-r3  USE="apache2 berkdb cli crypt ftp gd gdbm iconv ipv6 ncurses nls pcre readline reflection session spell spl ssl threads truetype unicode xml zlib (-adabas) -bcmath (-birdstep) -bzip2 -calendar -cdb -cgi -cjk -concurrentmodphp -ctype -curl -curlwrappers -db2 -dbase (-dbmaker) -debug -discard-path -doc (-empress) (-empress-bcs) (-esoob) -exif -fastbuild (-fdftk) -filter (-firebird) -flatfile -force-cgi-redirect (-frontbase) -gd-external -gmp -hash -imap -inifile -interbase -iodbc -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -mysql -mysqli -oci8 (-oci8-instant-client) -odbc -pcntl -pdo -pdo-external -pic -posix -postgres -qdbm -recode -sapdb -sharedext -sharedmem -simplexml -snmp -soap -sockets (-solid) -sqlite -suhosin (-sybase) (-sybase-ct) -sysvipc -tidy -tokenizer -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz -zip -zip-external"

Portage 2.1.2.9 (default-linux/amd64/2006.1/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 30 Jul 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
LINGUAS="da en"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk gtk2 hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde libg++ lm_sensors mad midi mikmod mjpeg mozilla mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl session spell spl sse3 ssl tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="da en" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Zdenek Herman 2007-08-01 13:07:18 UTC

I have same problem 

Portage 2.1.2.9 (default-linux/amd64/2007.0, gcc-3.4.6, glibc-2.3.6-r5, 2.6.17.14 x86_64)
=================================================================
System uname: 2.6.17.14 x86_64 AMD Opteron(tm) Processor 246
Gentoo Base System release 1.12.9
Timestamp of tree: Tue, 31 Jul 2007 16:30:11 +0000
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=opteron -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php4/ext-active/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php4/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=opteron -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X509 accessibility acl acpi adns aim amd64 apache2 apm berkdb bitmap-fonts bzlib calendar chroot cli cracklib crypt cscope ctype curl curlwrappers dba dbm dbx dedicated dio dri erandom exif fam fastcgi fftw flatfile foomaticdb fortran freedts ftp gd gdbm gif gps imap imlib inifile innodb ipv6 isdnlog ithreads jabber jikes jpeg justify kerberos libedit libwww maildir mailwrapper mbox mcal mcve memlimit mhash midi mime ming mmap mmx mng msession mudflap mysql mysqli ncurses nis nls nocardbus nptl nptlonly odbc offensive openmp pam pcntl pcre pdflib perl php png posix pppd prelude pwdb python readline recode reflection sasl session sftplogging simplexml skey slang snmp sockets spell spl sse sse2 ssl sysvipc szip tcpd threads tidy tiff tokensizer truetype-fonts type1-fonts unicode usb vhosts wmf xml xml-rpc xml2 xorg xsl zeo zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS

Comment 2 Jakub Moc (RETIRED) gentoo-dev

2007-08-01 14:12:43 UTC

The is not a bug, it's intended behaviour per upstream patch and the ebuild explicitely points you to this and tells you what to do.

<snip>
if use session; then
    elog "When using open_basedir in conjunction with the session extension"
    elog "make sure you add the value of session.save_path to open_basedir as"
    elog "well, e.g.: with session.save_path=/tmp (default) you should have"
    elog "open_basedir=/your/usual/webdir/:/tmp/"
fi
</snip>

Comment 3 Jonas Pedersen 2007-08-01 14:50:29 UTC

That is what you get from not reading all the output from the emerge :-) 

Actually I was not sure if this was a bug or intended feature. If I read bug #42077 at bugs.php.net (http://bugs.php.net/bug.php?id=42077) I can see that it is still open as the behavior of the patch still might change. This is due to the problems having session.save_path included in open_basedir, as it allows all scripts to read all session files, if all sessions files for the virtual hosts are stored in the same directory. And this is not a good idea. I can also see the problem by not having this patch included due to CVE-2007-3378 (this one is mentioned in the bug).

Comment 4 Jakub Moc (RETIRED) gentoo-dev

2007-08-01 15:00:50 UTC

Shrug; upstream really should do a quick security release, instead of forcing distributions to patch PHP to hell until they release something. :/

Comment 5 Christian Hoffmann (RETIRED) gentoo-dev

2007-08-05 22:36:42 UTC

Upstream has completely new code to solve the security issue in cvs now and we packaged it as php-5.2.4_pre200708051230-r1 (in the php-testing overlay). Could you please test and verify that the bug (more exactly: behaviour change) is fixed there?

Comment 6 Jonas Pedersen 2007-08-06 17:42:21 UTC

I can confirm that my simple test script is working as expected with  php-5.2.4_pre200708051230-r1.

Comment 7 Jakub Moc (RETIRED) gentoo-dev

2007-08-10 14:46:59 UTC

5.2.4_pre200708051230-r2 committed.