tags:

views:

927

answers:

4

According to the PHP Safe Mode Docs on safe_mode_gid:

By default, Safe Mode does a UID compare check when opening files. If you want to relax this to a GID compare, then turn on safe_mode_gid. Whether to use UID (FALSE) or GID (TRUE) checking upon file access.

To a PHP script running on a web server, what is the difference between a UID (User identifier) check and a GID (Group identifier) check?

+1  A: 

Safe mode UID check is used to prevent users from accessing other peoples files. GID is used to prevent a GROUP of users from accessing other GROUPS files.

Armandas
+2  A: 

This will just allow you a little more flexibility in your web server setup. Using safemodegid, you should be able to run individual PHP/httpd processes for each user on your system, but give each process the ability to read some shared files as long as they are all run as the same group (GID) and the shared files are owned by this group.

pix0r
+1  A: 

For example the webserver username and group is apache:www,

if you set your to check UID, the php process will only have access to any file owned by the user apache. So if you have another webserver running on your system,for example tomcat with the username and group of tomcat:www, any files created by the tomcat process won't be accessible by php because it is owned by the tomcat user.

But if you instead use GID check, the files created by the tomcat process will be readable by the php process because the belong to the same www group

paan
A: 

Most answers are not exactly true or detailed... Don't forget safe_mode checks if the owner of the SCRIPT matches the owner of the file you want to access. It has nothing to do with the httpd user:group.

For example, your httpd could run as apache:daemon, your script owned by some_user:users and the file you want to right to some_other_user:users

If you don't activate safe_mode_gid, the script won't be able to access the file because users don't match.

This is a common phenomenon when a script creates a folder and then tries to create files inside this folder.

The folder creation succeeds because the parent folder is owned by the same user as the script creating it (most likely, it was uploaded by "some_user").

BUT, the created folder is now owned by the httpd user, let's say apache:daemon

If safe_mode is active, you won't be able to create a file inside this folder because the script owner (some_user) doesn't match the folder owner (apache).

Even if you activate safe_mode_gid, it won't work because the script group is "users" while the folder group is "daemon".

The best solution is to set the same group for ftp users and httpd. Don't forget you have to allow write access to the group on the "writeable" folder too, and this is less secure because since all your users are in the same group, an httpd process could access the other users files since you activate safe_mode_gid.

You should in fact combine safe_mode_gid + open_basedir and set the home of the user as open_basedire value to avoid this.

HTH

Capsule