What is the security mode in PHP referring to?

The handbook says:
Chapter 24. Safe Mode
Directory
Functions that are restricted or masked by Safe mode
The PHP security model is designed to attempt to resolve shared server (Shared-server) security issues. In structure, it is unreasonable to try to solve this problem on the PHP layer, but it is very unrealistic to modify the WEB server layer and the operating system layer. So many people, especially ISPs, are currently using safe mode.


Table 24-1. The setting options for controlling safe mode are:

Set option default values
Safe_mode off
Safe_mode_gid 0
Safe_mode_include_dir ""
Safe_mode_exec_dir 1
Open_basedir ""
Safe_mode_allowed_env_vars Php_
Safe_mode_protected_env_vars Ld_library_path
Disable_functions ""


When Safe_mode is set to on,php checks whether the owner of the current script matches the owner of the file that will be manipulated by the file function. Example:-rw-rw-r--1 Rasmus Rasmus 1 19:20 script.php
-rw-r--r--1 root root 1116 May 18:01/etc/passwd

Run script.php <?php
ReadFile ('/etc/passwd ');
?>

If Safe mode is activated, the following error will result: Warning:safe mode restriction in effect. The script whose UID is
Allowed to access/etc/passwd owned by UID 0 in/docroot/script.php in line 2



At the same time, there may be such an environment in which a loose GID check is sufficient, but a strict UID check is not appropriate. You can use the SAFE_MODE_GID option to control this check. If set to ON, a loose GID check is made, and the UID check is set to OFF (the default value).

In addition to Safe_mode, if you set the Open_basedir option, all file actions are limited to the directory you specify. For example: <Directory/docroot>
Php_admin_value Open_basedir/docroot
</Directory>

If you run the same script.php after you set the Open_basedir option, the result will be: Warning:open_basedir restriction in effect. The File is in wrong directory in
/docroot/script.php on line 2



You can also block certain functions individually. Note that the Disable_functions option cannot be used outside of the php.ini file, which means that you cannot mask functions in httpd.conf files by different virtual hosts or different directories. If we add the following to the php.ini file: Disable_functions readfile,system

Then we will get the following output: Warning:readfile () has been disabled for security reasons in
/docroot/script.php on line 2



Functions that are restricted or masked by Safe mode
The following list of safe modes may be incomplete or incorrect.

Table 24-2. Safe Mode limit function

Function name limit
Dbmopen () checks whether the file/directory you want to manipulate has the same UID as the script you are executing.
Dbase_open () checks whether the file/directory you want to manipulate has the same UID as the script you are executing.
Filepro () checks whether the file/directory you want to manipulate has the same UID as the script you are executing.
Filepro_rowcount () checks whether the file/directory you want to manipulate has the same UID as the script you are executing.
Filepro_retrieve () checks whether the file/directory you want to manipulate has the same UID as the script you are executing.
ifx_* () Sql_safe_mode limit, (!= Safe mode)
ingres_* () Sql_safe_mode limit, (!= Safe mode)
mysql_* () Sql_safe_mode limit, (!= Safe mode)
Pg_loimport () checks whether the file/directory you want to manipulate has the same UID as the script you are executing.
Posix_mkfifo () checks whether the directory you are going to manipulate has the same UID as the script you are executing.
Putenv () follows the Safe_mode_protected_env_vars and Safe_mode_allowed_env_vars options set by the INI. Refer to the documentation for the putenv () function.
Move_uploaded_file () checks whether the file/directory you want to manipulate has the same UID as the script you are executing.
ChDir () checks whether the directory you are going to manipulate has the same UID as the script you are executing.
DL () This function has been blocked in safe mode.
Backtick operator The function has been blocked in safe mode.
Shell_exec () (the same function as the Backticks function) The function is blocked in safe mode.
EXEC () You can only perform actions under the directory of the Safe_mode_exec_dir setting. For some reason, it cannot be used in the path of an executable object at this time ...
System () You can perform operations only in the directory where the Safe_mode_exec_dir is set. For some reason, it cannot be used in the path of an executable object at this time ...
PassThru () You can only perform operations in the directory where the Safe_mode_exec_dir is set. For some reason, it cannot be used in the path of an executable object at this time ...
Popen () You can only perform operations in the directory where the Safe_mode_exec_dir is set. For some reason, it cannot be used in the path of an executable object at this time ...
mkdir () checks whether the directory you are going to manipulate has the same UID as the script you are executing.
RmDir () checks whether the file/directory you want to manipulate has the same UID as the script you are executing.
Rename () checks whether the file/directory you want to manipulate has the same UID as the script you are executing. Checks to see if the directory you are going to manipulate has the same UID as the script you are executing.
Unlink () checks whether the file/directory you want to manipulate has the same UID as the script you are executing. Checks to see if the directory you are going to manipulate has the same UID as the script you are executing.
Copy () checks to see if the file/directory you want to manipulate has the same UID as the script you are executing. Checks to see if the directory you are going to manipulate has the same UID as the script you are executing. (on source and target)
CHGRP () checks whether the file/directory you want to manipulate has the same UID as the script you are executing.
Chown () checks whether the file/directory you want to manipulate has the same UID as the script you are executing.
chmod () checks whether the file/directory you want to manipulate has the same UID as the script you are executing. Also, you cannot set SUID, SGID, and sticky bits
Touch () checks to see if the file/directory you want to manipulate has the same UID as the script you are executing. Checks to see if the directory you are going to manipulate has the same UID as the script you are executing.
Symlink () checks whether the file/directory you want to manipulate has the same UID as the script you are executing. Checks to see if the directory you are going to manipulate has the same UID as the script you are executing. (Note: test target only)
Link () checks whether the file/directory you want to manipulate has the same UID as the script you are executing. Checks to see if the directory you are going to manipulate has the same UID as the script you are executing. (Note: test target only)
Getallheaders () in Safe mode, header information that starts with "authorization" (case-sensitive) will not be returned. Warning: getallheaders () cannot be implemented under Aol-server!
Header () in Safe mode, if you set up Www-authenticate, the current script's UID will be added to the realm portion of the header information.
Highlight_file (), Show_source () checks whether the file/directory you want to manipulate has the same UID as the script you are executing. Checks to see if the directory you are going to manipulate has the same UID as the script you are executing. (Note that this is only valid after version 4.2.1)
Parse_ini_file () checks whether the file/directory you want to manipulate has the same UID as the script you are executing. Checks to see if the directory you are going to manipulate has the same UID as the script you are executing. (Note that this is only valid after version 4.2.1)
Any function that uses PHP4/MAIN/FOPEN_WRAPPERS.C??