<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Security and Safe Mode</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="features.safe-mode.html">Safe Mode</a></div>
<div class="next" style="text-align: right; float: right;"><a href="features.safe-mode.functions.html">Functions restricted/disabled by safe mode</a></div>
<div class="up"><a href="features.safe-mode.html">Safe Mode</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="ini.sect.safe-mode" class="sect1">
<h2 class="title">Security and Safe Mode</h2>
<p class="para">
<table class="doctable table">
<caption><strong>Security and Safe Mode Configuration Directives</strong></caption>
<thead>
<tr>
<th>Name</th>
<th>Default</th>
<th>Changeable</th>
<th>Changelog</th>
</tr>
</thead>
<tbody class="tbody">
<tr>
<td><a href="ini.sect.safe-mode.html#ini.safe-mode" class="link">safe_mode</a></td>
<td>"0"</td>
<td>PHP_INI_SYSTEM</td>
<td>Removed in PHP 5.4.0.</td>
</tr>
<tr>
<td><a href="ini.sect.safe-mode.html#ini.safe-mode-gid" class="link">safe_mode_gid</a></td>
<td>"0"</td>
<td>PHP_INI_SYSTEM</td>
<td>Available since PHP 4.1.0. Removed in PHP 5.4.0.</td>
</tr>
<tr>
<td><a href="ini.sect.safe-mode.html#ini.safe-mode-include-dir" class="link">safe_mode_include_dir</a></td>
<td>NULL</td>
<td>PHP_INI_SYSTEM</td>
<td>Available since PHP 4.1.0. Removed in PHP 5.4.0.</td>
</tr>
<tr>
<td><a href="ini.sect.safe-mode.html#ini.safe-mode-exec-dir" class="link">safe_mode_exec_dir</a></td>
<td>""</td>
<td>PHP_INI_SYSTEM</td>
<td>Removed in PHP 5.4.0.</td>
</tr>
<tr>
<td><a href="ini.sect.safe-mode.html#ini.safe-mode-allowed-env-vars" class="link">safe_mode_allowed_env_vars</a></td>
<td>"PHP_"</td>
<td>PHP_INI_SYSTEM</td>
<td>Removed in PHP 5.4.0.</td>
</tr>
<tr>
<td><a href="ini.sect.safe-mode.html#ini.safe-mode-protected-env-vars" class="link">safe_mode_protected_env_vars</a></td>
<td>"LD_LIBRARY_PATH"</td>
<td>PHP_INI_SYSTEM</td>
<td>Removed in PHP 5.4.0.</td>
</tr>
</tbody>
</table>
For further details and definitions of the
PHP_INI_* modes, see the <a href="configuration.changes.modes.html" class="xref">Where a configuration setting may be set</a>.
</p>
<p class="para">Here's a short explanation of
the configuration directives.</p>
<p class="para">
<dl>
<dt id="ini.safe-mode">
<span class="term">
<em><code class="parameter">safe_mode</code></em>
<span class="type"><a href="language.types.boolean.html" class="type boolean">boolean</a></span>
</span>
<dd>
<p class="para">
Whether to enable PHP's safe mode.
If PHP is compiled with <em>--enable-safe-mode</em> then
defaults to On, otherwise Off.
</p>
<div class="warning"><strong class="warning">Warning</strong><p class="simpara">This feature has been
<em class="emphasis">DEPRECATED</em> as of PHP 5.3.0 and <em class="emphasis">REMOVED</em>
as of PHP 5.4.0.</p></div>
</dd>
</dt>
<dt id="ini.safe-mode-gid">
<span class="term">
<em><code class="parameter">safe_mode_gid</code></em>
<span class="type"><a href="language.types.boolean.html" class="type boolean">boolean</a></span>
</span>
<dd>
<p class="para">
By default, Safe Mode does a UID compare check when
opening files. If you want to relax this to a GID compare,
then turn on safe_mode_gid.
Whether to use <em>UID</em> (<strong><code>FALSE</code></strong>) or
<em>GID</em> (<strong><code>TRUE</code></strong>) checking upon file
access.
</p>
</dd>
</dt>
<dt id="ini.safe-mode-include-dir">
<span class="term">
<em><code class="parameter">safe_mode_include_dir</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
<em>UID</em>/<em>GID</em> checks are bypassed when
including files from this directory and its subdirectories (directory
must also be in <a href="ini.core.html#ini.include-path" class="link">include_path</a>
or full path must including).
</p>
<span class="simpara">
As of PHP 4.2.0, this directive can take a colon (semi-colon on
Windows) separated path in a fashion similar to the
<a href="ini.core.html#ini.include-path" class="link">include_path</a> directive,
rather than just a single directory.
</span>
<span class="simpara">
The restriction specified is actually a prefix, not a directory name.
This means that "<em>safe_mode_include_dir = /dir/incl</em>" also allows
access to "<em>/dir/include</em>" and
"<em>/dir/incls</em>" if they exist. When you
want to restrict access to only the specified directory, end with a
slash. For example: "<em>safe_mode_include_dir = /dir/incl/</em>"
</span>
<span class="simpara">
If the value of this directive is empty, no files with different
<em>UID</em>/<em>GID</em> can be included in
PHP 4.2.3 and as of PHP 4.3.3. In earlier versions, all files could be
included.
</span>
</dd>
</dt>
<dt id="ini.safe-mode-exec-dir">
<span class="term">
<em><code class="parameter">safe_mode_exec_dir</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
If PHP is used in safe mode, <span class="function"><a href="function.system.html" class="function">system()</a></span> and the other
<a href="ref.exec.html" class="link">functions executing system programs</a>
refuse to start programs that are not in this directory.
You have to use <em>/</em> as directory separator on all
environments including Windows.
</p>
</dd>
</dt>
<dt id="ini.safe-mode-allowed-env-vars">
<span class="term">
<em><code class="parameter">safe_mode_allowed_env_vars</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
Setting certain environment variables may be a potential security breach.
This directive contains a comma-delimited list of prefixes. In Safe Mode,
the user may only alter environment variables whose names begin with the
prefixes supplied here. By default, users will only be able to set
environment variables that begin with <em>PHP_</em>
(e.g. <em>PHP_FOO=BAR</em>).
</p>
<blockquote class="note"><p><strong class="note">Note</strong>:
<p class="para">
If this directive is empty, PHP will let the user modify ANY
environment variable!
</p>
</p></blockquote>
</dd>
</dt>
<dt id="ini.safe-mode-protected-env-vars">
<span class="term">
<em><code class="parameter">safe_mode_protected_env_vars</code></em>
<span class="type"><a href="language.types.string.html" class="type string">string</a></span>
</span>
<dd>
<p class="para">
This directive contains a comma-delimited list of environment
variables that the end user won't be able to change using
<span class="function"><a href="function.putenv.html" class="function">putenv()</a></span>. These variables will be protected
even if safe_mode_allowed_env_vars is set to allow to change them.
</p>
</dd>
</dt>
</dl>
</p>
<p class="para">
See also: <a href="ini.core.html#ini.open-basedir" class="link">open_basedir</a>,
<a href="ini.core.html#ini.disable-functions" class="link">disable_functions</a>,
<a href="ini.core.html#ini.disable-classes" class="link">disable_classes</a>,
<a href="ini.core.html#ini.register-globals" class="link">register_globals</a>,
<a href="errorfunc.configuration.html#ini.display-errors" class="link">display_errors</a>, and
<a href="errorfunc.configuration.html#ini.log-errors" class="link">log_errors</a>.
</p>
<p class="para">
When <a href="ini.sect.safe-mode.html#ini.safe-mode" class="link">safe_mode</a> is on, PHP checks to see
if the owner of the current script matches the owner of the file to be
operated on by a file function or its directory. For example:
<div class="example-contents">
<div class="lscode"><pre class="lscode">-rw-rw-r-- 1 rasmus rasmus 33 Jul 1 19:20 script.php
-rw-r--r-- 1 root root 1116 May 26 18:01 /etc/passwd</pre>
</div>
</div>
Running <var class="filename">script.php</var>:
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br /> readfile</span><span style="color: #007700">(</span><span style="color: #DD0000">'/etc/passwd'</span><span style="color: #007700">); <br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
results in this error when safe mode is enabled:
<div class="example-contents screen">
<div class="cdata"><pre>
Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2
</pre></div>
</div>
</p>
<p class="para">
However, there may be environments where a strict <em>UID</em>
check is not appropriate and a relaxed <em>GID</em> check is
sufficient. This is supported by means of the <a href="ini.sect.safe-mode.html#ini.safe-mode-gid" class="link">safe_mode_gid</a> switch. Setting it to
<em>On</em> performs the relaxed <em>GID</em> checking,
setting it to <em>Off</em> (the default) performs
<em>UID</em> checking.
</p>
<p class="para">
If instead of <a href="ini.sect.safe-mode.html#ini.safe-mode" class="link">safe_mode</a>, you set an
<a href="ini.core.html#ini.open-basedir" class="link">open_basedir</a> directory then all
file operations will be limited to files under the specified directory.
For example (Apache <var class="filename">httpd.conf</var> example):
<div class="example-contents">
<div class="inicode"><pre class="inicode"><Directory /docroot>
php_admin_value open_basedir /docroot
</Directory></pre>
</div>
</div>
If you run the same <var class="filename">script.php</var> with this
<a href="ini.core.html#ini.open-basedir" class="link">open_basedir</a> setting
then this is the result:
<div class="example-contents screen">
<div class="cdata"><pre>
Warning: open_basedir restriction in effect. File is in wrong directory in
/docroot/script.php on line 2
</pre></div>
</div>
</p>
<p class="para">
You can also disable individual functions. Note that the
<a href="ini.core.html#ini.disable-functions" class="link">disable_functions</a>
directive can not be used outside of the <var class="filename">php.ini</var> file which means that
you cannot disable functions on a per-virtualhost or per-directory basis
in your <var class="filename">httpd.conf</var> file.
If we add this to our <var class="filename">php.ini</var> file:
<div class="example-contents">
<div class="inicode"><pre class="inicode">disable_functions = readfile,system</pre>
</div>
</div>
Then we get this output:
<div class="example-contents screen">
<div class="cdata"><pre>
Warning: readfile() has been disabled for security reasons in
/docroot/script.php on line 2
</pre></div>
</div>
</p>
<div class="warning"><strong class="warning">Warning</strong>
<p class="para">
These PHP restrictions are not valid in executed binaries, of course.
</p>
</div>
</div><hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="features.safe-mode.html">Safe Mode</a></div>
<div class="next" style="text-align: right; float: right;"><a href="features.safe-mode.functions.html">Functions restricted/disabled by safe mode</a></div>
<div class="up"><a href="features.safe-mode.html">Safe Mode</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
