Bug #839
closedSetting PHP .ini option via -d command line argument not working when using mod_fastcgi
Description
I want to change the open_basedir ini setting for different PHP instances I am running. PHP's command line argument -d allows to do that and it works pretty well on the command line:
% php4-cgi -d open_basedir=/tmp
<?php readfile('/etc/passwd'); ?>
[Ctrl-D]
<br />
<b>Warning</b>: readfile(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/tmp) in <b>-</b> on line <b>1</b><br />
<br />
<b>Warning</b>: readfile(/etc/passwd): failed to open stream: Operation not permitted in <b>-</b> on line <b>1</b><br />
Just like it should be.
However, when the very same command is executed from lighttpd within the FastCGI module, the restriction doesn't work.
@`@ps aufx | grep php'' shows the following processes started by Lighttpd:
www-data 26617 0.0 1.1 22244 2880 ? Ss 21:26 0:00 \_ /usr/bin/php4-cgi -d open_basedir=/var/www/xxx/ www-data 26618 0.0 0.1 22244 368 ? S 21:26 0:00 \_ /usr/bin/php4-cgi -d open_basedir=/var/www/xxx/ [...]
When I run a testing PHP script on that server (I also echo the output of getmypid() to get sure I am not using another instance of PHP), there is no whatsoever access restriction. I can read `/etc/passwd', and ini_get('open_basedir') returns and empty value. Although the -d option was passed to PHP, it is not being honoured. (I am not sure if this maybe is a PHP problem. If it is, please tell me so!)
This is the relevant part in my Lighttpd configuration file:
fastcgi.server = ( ".php" =>
(( "socket" => "/tmp/fastcgi." + servername + ".socket",
"bin-path" => "/usr/bin/php4-cgi -d open_basedir=" + basedir + servername + "/",
"min-procs" => 0,
"max-procs" => 1,
"max-load-per-proc" => 4,
"idle-timeout" => 20,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "1",
"PHP_FCGI_MAX_REQUESTS" => "50"
),
"broken-scriptfilename" => "enable"
)),
)
-- Julius Plenz <lighttpd-bugs
Updated by Anonymous over 18 years ago
this is a limitation of php-cgi, it does not accept the -d param
Updated by Anonymous over 18 years ago
But it obviously works using the php4-cgi binary:
% echo '<?php echo readfile("/etc/passwd");?>' | php4-cgi -d open_basedir=/tmp
Content-type: text/html
<br />
<b>Warning</b>: readfile(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/tmp) in <b>-</b> on line <b>1</b><br />
<br />
<b>Warning</b>: readfile(/etc/passwd): failed to open stream: Operation not permitted in <b>-</b> on line <b>1</b><br />
-- Julius Plenz <lighttpd-bug
Updated by darix over 18 years ago
21262 execve("/srv/www/cgi-bin/php5", srvwwwcgi-binphp5, 83 vars */) = 0
from strace it looks like we are calling php correctly. might it be that php ignores it later?
Updated by darix over 18 years ago
- Status changed from New to Fixed
- Resolution set to invalid
this is a bug in php. fixed in php 5.2 rc5
- Fixed mess with CGI/CLI -d option (now it works with cgi; constants are working exactly like in php.ini; with FastCGI -d affects all requests). (Dmitry)
Updated by darix over 18 years ago
as a work around:
var.config_base = "/var/www/etc"
fastcgi.server = ( ".php" =>
(( "socket" => "/tmp/fastcgi." + servername + ".socket",
"bin-path" => "/usr/bin/php4-cgi",
"min-procs" => 0,
"max-procs" => 1,
"max-load-per-proc" => 4,
"idle-timeout" => 20,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "1",
"PHP_FCGI_MAX_REQUESTS" => "50",
"PHPRC" = config_base + servername + "/",
),
"broken-scriptfilename" => "enable"
)),
)
in config_base you store a php.ini per vhost which should only contain the openbasedir. the global files in /etc/php4 should be pulled in automatically.
Also available in: Atom