Safe Mode Restriction in Effect Safe Mode Restriction in Effect
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Safe Mode Restriction in Effect

Started by hyperion, April 30, 2004, 03:29:18 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

hyperion

Relevant php.ini settings:


; Safe Mode
;
safe_mode = Off

; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.
safe_mode_gid = Off

; When safe_mode is on, UID/GID checks are bypassed when
; including files from this directory and its subdirectories.
; (directory must also be in include_path or full path must
; be used when including)
safe_mode_include_dir =

; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.
safe_mode_exec_dir =



Safe mode is enhanced security environment for PHP. Coppermine has no issues with safe mode when it is properly configured for use with Coppermine.  However, safe mode configurations are often improper or designed without considering group/user/server issues for autonomous scripts. 

Two primary issues may arise in Coppermine with safe mode enabled.  The first occurs when uploading. Normally, each user receives his or her own directory for uploads, and the directory is created by Coppermine. In certain safe mode environments, the owner of the /albums directory and the server are not considered to be the same user. Thus the server is not allowed to create new directories within /albums. Coppermine can sidestep this by refraining from creating new directories if the Silly Safe Mode constant is added to /include/config.inc.php. 


define('SILLY_SAFE_MODE', 1);


This issue may also occur if safe_mode_gid is enabled, but the /albums owner and the server are not of the same group.

The second issue arises when trying to use Image Magick.  Image Magick must be within php.ini's designated safe_mode_exec_dir in order for Coppermine to be able to use IM while operating in safe mode. Also, the exec() function must not be disabled.
"Then, Fletch," that bright creature said to him, and the voice was very kind, "let's begin with level flight . . . ."

-Richard Bach, Jonathan Livingston Seagull

(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fwww.mozilla.org%2Fproducts%2Ffirefox%2Fbuttons%2Fgetfirefox_small.png&hash=9f6d645801cbc882a52f0ee76cfeda02625fc537)

steveman2000

#1
help....

i did what u say about the define(.....

but every now and again i get

Warning: chmod(): SAFE MODE Restriction in effect. The script whose uid is 10681 is not allowed to access albums/userpics/10001/web004.jpg owned by uid 2525 in /usr/local/psa/home/vhosts/containerengineering.co.uk/httpdocs/g/upload.php on line 2229

Warning: getimagesize(): SAFE MODE Restriction in effect. The script whose uid is 10681 is not allowed to access albums/userpics/10001/web004.jpg owned by uid 2525 in /usr/local/psa/home/vhosts/containerengineering.co.uk/httpdocs/g/include/picmgmt.inc.php on line 109

Warning: getimagesize(albums/userpics/10001/web004.jpg): failed to open stream: Unknown error: 0 in /usr/local/psa/home/vhosts/containerengineering.co.uk/httpdocs/g/include/picmgmt.inc.php on line 109

help...

<<UPDATE>>
Um prob fixed!... a minor mistake that i over looked....

Clampner

#2
Server restrictions (safe mode)?
------------------
Directive | Local Value | Master Value
safe_mode | On | Off
safe_mode_exec_dir | /srv/www/htdocs/empty/ | no value
safe_mode_gid | Off | Off
safe_mode_include_dir | no value | no value
safe_mode_exec_dir | /srv/www/htdocs/empty/ | no value
sql.safe_mode | Off | Off
disable_functions | no value | no value
file_uploads | On | On
include_path | .:/usr/share/php | .:/usr/share/php
open_basedir | /srv/www/htdocs/web0/ | no value
==========================


How can i switch the local Value of Safe Mode to off ?
I have the Safe mode problem. in my php.ini i switch the safe mode to off, but in debug modus it is on (local value).
My Friend use the same gallery with the same setup and php.ini. He just changed name, faq and deleted users.

Joachim Müller

did you actually read the thread you were replying to? Hyperion's post has all relevant data, as well as the documentation that comes with coppermine.

Joachim

Kapu

Warning: SAFE MODE Restriction in effect. The script whose uid is 1013 is not allowed to access albums/userpics/10001/logo.jpg owned by uid 33 in /var/www/blubb/members/kapu/Die offizielle United-Ks Website-Dateien/Inhalt/Galerie/pic/cpg1.3.2/cpg132/upload.php on line 2229

Warning: SAFE MODE Restriction in effect. The script whose uid is 1013 is not allowed to access albums/userpics/10001/logo.jpg owned by uid 33 in /var/www/blubb/members/kapu/Die offizielle United-Ks Website-Dateien/Inhalt/Galerie/pic/cpg1.3.2/cpg132/include/picmgmt.inc.php on line 118

Warning: getimagesize: Unable to open 'albums/userpics/10001/logo.jpg' for reading. in /var/www/blubb/members/kapu/Die offizielle United-Ks Website-Dateien/Inhalt/Galerie/pic/cpg1.3.2/cpg132/include/picmgmt.inc.php on line 118

---

What did I do wrong? I have no clue???

Joachim Müller

did you actually read this thread? Did you apply the change mentioned? I doubt that a path containing spaces is a good idea at all:
Quote/var/www/blubb/members/kapu/Die offizielle United-Ks Website-Dateien/Inhalt/Galerie/pic/cpg1.3.2/cpg132/include/picmgmt.inc.php

Joachim

Kapu

#6
Das geht doch auch auf deutsch, oder???

Also du meinst, ich solle die Lehrzeichen ruasnehmen, dann würde das gehen???

Obwohl ich die Datei geändert habe, kommt das immer : "Die vorhergehende Datei konnte nicht gesetzt werden.

Alle Dateien wurden erfolgreich Alben zugeordnet."

kegobeer

Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots

Joachim Müller

Quote from: Kapu on January 30, 2005, 05:26:08 PM
Das geht doch auch auf deutsch, oder???

Also du meinst, ich solle die Lehrzeichen ruasnehmen, dann würde das gehen???

Obwohl ich die Datei geändert habe, kommt das immer : "Die vorhergehende Datei konnte nicht gesetzt werden.

Alle Dateien wurden erfolgreich Alben zugeordnet."
nein, geht nicht: http://coppermine.sourceforge.net/faq.php#nonEnglishPosting
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fcoppermine.sourceforge.net%2Fdemo%2Fimages%2Fflags%2Fde.gif&hash=a3892f500838a964ee405666c26e8a70b9679482)Ich hab' mich darüber schon lang und breit ausgelassen und werd's an dieser Stelle nicht wiederholen, warum ich keinen support auf Deutsch leiste.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fcoppermine.sourceforge.net%2Fdemo%2Fimages%2Fflags%2Fgb.gif&hash=7b6a8d879fc9bb5f5eebf0b3b5466155ad86a141)No, there's no German support from me: http://coppermine.sourceforge.net/faq.php#nonEnglishPosting
I have posted before why I won't, so I won't repeat this here.

Joachim

Kapu

Joachim ist sehr unfreundlich zu mir.

Joachim is not very nice to me.

Joachim n'est pas très ...nice.

Oh man, I got it!!!

Hein Traag

Attitude does not get you anywhere on this board. We are all here to help in our free/work time and you as user are expected to thoroughly read the faq and search the board before posting. Giving back answers like this is not the way you pay respect to those who help out  :-* Think before you post!


normal

I've read this thread twice now, and I understand what its about as well as anyone unfamiliar with php code is going to understand it.  I followed the instructions and added the code:

define('SILLY_SAFE_MODE', 1);

to config.inc.php

When I tried to upload it returned a "critical error" regarding a "parameter ()".

Forgive my total ignorance, but where and how exactly am I supposed to add the above snippet of code to the config.inc.php file?

Thanks,
David Normal

http://www.normal-design.com/copper-gallery




Nibbler

It can go anywhere that is valid php syntax -  exact positioning is not important, the default location is here:

<?php
// Coppermine configuration file

define('SILLY_SAFE_MODE'1);


// MySQL configuration
$CONFIG['dbserver'] =                         'localhost';        // Your databaseserver
$CONFIG['dbuser'] =                         'root';        // Your mysql username
$CONFIG['dbpass'] =                         '';                // Your mysql password
$CONFIG['dbname'] =                         'coppermine';        // Your mysql database name


// MySQL TABLE NAMES PREFIX
$CONFIG['TABLE_PREFIX'] =                'cpg132_';
?>

normal

Thanks for that, Nibbler.

I pasted it up exactly as you show, however I am still getting:

"Critical Error:  Script called without the required parameter(s). "

What can I do about this?

- David

normal

Well, now its working without adding the "Silly Safe Mode" code.  Why it was not working previously, and now is I do not know.

Perhaps, I'm missing something, but is the above command actually just telling the PHP safety mode that it is being silly?

- David

globalisation

hello. I have resolved my problem to about the safe mode.
I had to include the silly safe mode function in the upload.php file and the picmgmt.inc file to . and the config.inc.php file
thank you all for the support

vici

Quote from: globalisation on October 06, 2005, 09:05:09 AM
hello. I have resolved my problem to about the safe mode.
I had to include the silly safe mode function in the upload.php file and the picmgmt.inc file to . and the config.inc.php file
thank you all for the support
thanks hun
you really made my day  :-*

Joachim Müller

Quote from: globalisation on October 06, 2005, 09:05:09 AM
I had to include the silly safe mode function in the upload.php file and the picmgmt.inc file to . and the config.inc.php file
that's just wrong. Locking this thread to avoid individual requests cluttering this sticky thread even more. *sigh*