Introduction to php Security mode safe_mode

The security mode of PHP provides a basic and secure sharing environment. on a Web server opened by PHP with multiple user accounts, it compares the intellectual script UID (user ID) and the UID of the file to be accessed by the script, which serves as the basis of the restriction mechanism. If the UID is the same,

The security mode of PHP provides a basic and secure sharing environment. on a Web server opened by PHP with multiple user accounts, it compares the intellectual script UID (user ID) and the UID of the file to be accessed by the script, which serves as the basis of the restriction mechanism. If the UID is the same, the intellectual script; otherwise, the script fails. After the security mode is enabled, the execution efficiency is slowed down because it compares the owner of the file and whether the file executor is a person.

When safe_mode = On, the following restrictions will appear:
1. the applicability of all input and output functions (such as fopen (), file (), and require () is limited and can only be used to have files of the same owner as the scripts that call these functions. For example, if the security mode is enabled, if Mary's script calls fopen () and tries to open a file owned by Jonhn, it will fail. However, if Mary not only owns the script for calling fopen (), but also the file called by fopen (), it will succeed.
2. if you try to execute scripts through functions such as popen (), system (), and exec (), it is only possible to run the scripts in the directory specified by the safe_mode_exec_dir configuration command.
3. HTTP verification is further enhanced because the UID used by the verification script is included in the verification domain. In addition, PHP_AUTH is not set when security mode is enabled.
4. if the MySQL database server is applicable, the user name used to connect to the MySQL server must be the same as the user name of the file owner who calls mysql_connect.
Security mode and disabled functions
The following is a complete list of affected functions, variables, and configuration commands when the safe_mode command is enabled:
Apache_request_headers () backticks () and chdir ()
Chgrp () chmode () chown ()
Copy () dbase_open () dbmopen ()
Dl () exec () filepro ()
Filepro_retrieve () filepro_rowcount () fopen ()
Header () highlight_file () ifx _*
Ingres _ * link () mail ()
Max_execution_time () mkdir () move_uploaded_file ()
Mysql _ * parse_ini_file () passthru ()
Pg_lo_import () popen () posix_mkfifo ()
Putenv () rename () zmdir ()
Set_time_limit () shell_exec () show_source ()
Symlink () system () touch ()

The following are some configuration options related to security mode:
Safe_mode_gid = on | off
The command changes the behavior of security mode, that is, the UID is changed to the verification group ID before execution. For example, if Mary and John are in the same user group, Mary's script can call fopen () to John's file ().
Safe_mode_include_dir = string
You can use the command safe_mode_include_dir to indicate multiple paths. when security mode is enabled, the security mode is ignored in these paths. For example, you can use this function to specify a directory containing different templates. the thank you template may be used on some user websites. Multiple directories can be specified. in UNIX-based systems, directories are separated by colons and separated by semicolons in Windows.
Note: If a path is specified but does not contain the last Slash, all directories in the path will ignore the security mode settings. For example, if the command is set to/home/configuration,/home/configuration/templates/and/home/configureation/passwords are excluded from the security mode restriction. Therefore, if you only want to exclude a directory or a group of directories from the limits set in security mode, make sure that each directory contains the last slash.
Safe_mode_env_vars = string
When security mode is enabled, you can use only one command to allow the execution of user scripts to modify certain environment variables. Multiple variables can be modified. each variable is separated by a comma.
Safe_mode_exec_dir = string
Commands specify directories where system programs can be executed through functions such as system (), exec (), and passthru. To do this, you must enable the security mode. This command has a strange point. in all operating systems (including Windows), the slash (/) must be used as the directory separator.
Safe_mode_protected_env_vars = string
This command prevents certain environment variables from being modified by the putenv () function. By default, the variable LD_LIBRARY_PATH is protected, because modifying this variable at runtime may lead to unpredictable results. For more information about this environment variable, see the search engine or Linux manual. Note that all the variables declared in this session will overwrite the variables declared in the safe_mode_allowed_env_vars command.