# Problem with PHP safe_mode ON, php_admin_value session.save_

## fschaller

Hi,

I'v got following error

```
[28-Dec-2005 21:56:21] PHP Warning:  Unknown(): SAFE MODE Restriction in effect.  The script whose uid is 0 is not allowed to access /var/www/www.xyz.com/sessions owned by uid 81 in Unknown on line 0

```

Configuration is:

```
<VirtualHost xxx.xxx.xxx.xxx:80>

    ServerName   www.xyz.com

    DocumentRoot /var/www/www.xyz.com/htdocs

    <Directory "/var/www/www.xyz.com/htdocs">

        Options FollowSymLinks

        AllowOverride FileInfo

    </Directory>

     php_admin_value open_basedir /var/www/www.xyz.com/

     php_admin_value session.save_path /var/www/www.xyz.com/sessions/

</VirtualHost>
```

Apache runs chrooted with mod_security. /etc/passwd has only information about the apache user. In the /session directory are sessions saved.

Has anyone an idea?

Thank you very much!

Best regards

Frederik

----------

## musket

hmm im pretty sure my friend got that.. ill get back to u

----------

## hanj

Hello

The problem is the script's owner is not matching up with the uid value in session file. Looks like the script is owned by root (uid 0) and the sessions are owned by apache (uid 81).

You have a couple of options.

1. Change the owner of the executing script to be apache.

2. Change the group of the executing script to be apache, and set safe_mode_gid to true in your vhost conf.

Here is an example:

```
<VirtualHost xxx.xxx.xxx.xxx:80>

    ServerName   www.xyz.com

    DocumentRoot /var/www/www.xyz.com/htdocs

    <Directory "/var/www/www.xyz.com/htdocs">

        Options FollowSymLinks

        AllowOverride FileInfo

    </Directory>

     php_admin_value open_basedir /var/www/www.xyz.com/

     php_admin_value session.save_path /var/www/www.xyz.com/sessions/

     php_admin_value safe_mode_gid On

</VirtualHost>
```

from php.net (http://us2.php.net/features.safe-mode)

 *Quote:*   

> safe_mode_gid  boolean
> 
> By default, Safe Mode does a UID compare check when opening files. If you want to relax this to a GID compare, then turn on safe_mode_gid. Whether to use UID (FALSE) or GID (TRUE) checking upon file access. 

 

Hope this helps

hanji

----------

## fschaller

Hi hanji

Thanks for the answer. I knew that. A chmod -R apache /var/www/www.xyz.com and chgrp -R apache /var/www/www.xyz.com gives me the same error message.

Any others ideas, or do I miss the point?

Regards

Frederik

----------

## hanj

Same error? So it's still complaining about script who is owned by UID 0?? Are you sure the script that is doing this execution lives in /var/www/www.xyz.com? Your chgrp would have fixed that.

Did you add the safe_mode_gid bool in vhost?

Did you remember to restart apache after the change?

Thanks

hanji

----------

## fschaller

 *Quote:*   

> Are you sure the script that is doing this execution lives in /var/www/www.xyz.com?

 

No, absolutely not... but then it would be a native php function?? PHP is running as mod_php under the apache user. That should be fine too. By the way: Joomla and Typo3 are causing this error and since I've only virtual users (WebDAV) I never had this kind of owner/group problems  :Wink: .

To all other question the answer is yes  :Wink: 

Frederik

----------

## fschaller

Is it possible, that my chroot for apache (mod_security) might have an impact??

By the way: if the sessions are stored in /tmp (default setting) I have no error messages at all. But since this setting is not too trustworthy I'd like to change that.

Thanks again.

Frederik

----------

## hanj

Frederik

I'm stumped! 

mod_security may be an issue.. but I doubt it. I'm really confused why PHP thinks that it's a script owned by root? I wonder if you put the safe_mode_gid setting in the php.ini rather than the vhost to see if there is a change.

hanji

----------

## fschaller

I set safe_mode_gid in the php.ini, no differences.

What do you think about that:

I create a directory /var/www/sessions/xyz.com, xyz2.com etc. and set the safe_mode_include_dir to /var/www/sessions/xyz.com... Not nice, but it could work... in my opinion quite ugly.

Frederik

----------

## hanj

Yeah.. that's ugly.. but try it as an experiment. I think there is strange bug here. It would be good to figure out the 'real' solution in case others run into this.

Also, have you output the values of phpinfo() to make sure those values are being set (either globally or locally)? I think we need to determine if the fixes are really being applied. Might help us detemine if this a chroot problem as you mentioned earlier.

Now I'm moving towards the chroot posibility. 

hanji

----------

## fschaller

Maybe last post to this topic

If I set the path in the php.ini for the sessions, everything works fine... I will use it this way.

Best regards

Frederik

----------

## fschaller

Hey hanji

You never give up  :Very Happy: !

Here it comes (the value before colon is for this virutal host, value after colon is default)

```

Session Support  enabled  

Registered save handlers  files user  

Directive Local Value Master Value 

session.auto_start Off, Off 

session.bug_compat_42 On, On 

session.bug_compat_warn On, On 

session.cache_expire 180, 180 

session.cache_limiter nocache, nocache 

session.cookie_domain no value, no value 

session.cookie_lifetime 0, 0 

session.cookie_path /, / 

session.cookie_secure Off, Off 

session.entropy_file no value, no value 

session.entropy_length 0, 0 

session.gc_divisor 100, 100 

session.gc_maxlifetime 1440, 1440 

session.gc_probability 1, 1 

session.name 41186e8ffe6e13536a0b7fe5f4392f37, PHPSESSID 

session.referer_check no value, no value 

session.save_handler files, files 

session.save_path /var/www/www.xyz.com/sessions/, /var/www/sessions/ 

session.serialize_handler php, php 

session.use_cookies On, On 

session.use_only_cookies Off, Off 

session.use_trans_sid Off, Off 

```

Error is

```
[29-Dec-2005 01:57:58] PHP Warning:  Unknown(): SAFE MODE Restriction in effect.  The script whose uid is 0 is not allowed to access /var/www/www.xyz.com/sessions owned by uid 81 in Unknown on line 0
```

I saw a bug in php.net on this topic... but for version 4.2.x

Good night (here in Switzerland it's 1:06 am  :Wink: ).

Frederik

----------

## fschaller

Hi hanji,

Another idea: I applied the haredened patch (hardenedphp-flag). Maybe this has an impact too.

Frederik

----------

