Include permissions / disable_function

[jagould2000]

I am currently building a shared hosting environment where developers can place php code that interacts with an SDK we have developed. For security, we want to limit what the developer in this 'sandbox' can do by turning off functions in the php.ini using disable_function. For example, fopen would be disabled.

 

However, our SDK, that we provide to the developer, may need to use some of these disabled functions. Is there a way to do any of the following:

 

- Include a file from one directory and have the contents of the file run in the directory it is in, not in the directory it was included from? (have the sdk sit outside the developers directory - somewhere all calls are allowed?)

 

- Limit the calls allowed in a block of code, not for the whole directory?

 

- Build a binary, or php module, that can run any php command, but allow its functions to be called from a directory that is limited? We looked at Zend Guard, but the compiled binary sitting in the developers directory runs with the directory permissions of the directory it is in, so the functions inside wouldnt work as they need functions that are disabled.

 

The only way we have come up with is to have the sdk as a php file in an 'unlimited' directory and have the developer post to it and get the results. The posting method would allow you to cross directories and have different limitations in each.

 

I'm just wondering if there is a more elegant solution using includes or php modules.

[ignace]

You have actually 2 options:

 

1) disable the function you do not want the user to use and create a counterpart which provides this functionality under controlled circumstances, for example:

 

sdk_fopen(..) which would add additional control structures to verify the user is opening a file they are authorized to open

 

2) enable all functions and set open_basedir (http://be.php.net/manual/en/ini.sect.safe-mode.php#ini.open-basedir) or set safe_mode (http://be.php.net/manual/en/ini.sect.safe-mode.php#ini.safe-mode) to on if you only want to disable including remote files consider disabling allow_url_fopen

[jagould2000]

In scenario 1, if I disable fopen(), how will the sdk_fopen() work? When the sdk is included, wont it run in the developers directory and be restricted from running fopen() internally?

 

Where would you suggest the sdk live so that the developer is restricted but the code inside isnt? And how then would the restricted developer load the sdk?

 

Thanks,

 

Jonathan

[ignace]

all sdk_*() functions are located under a directory you specify and is present in the include_path this works even in safe_mode or open_basedir

 

[jagould2000]

I gave this a try:

 

- put the sdk in a directory outside of the developers folder.

- set safe_mode on and open_basedir to ".:/sdk_directory/" in the developer directory only

- set include_path and safe_mode_include_dir to ".:/sdk_directory/"

 

this limited the developer to certain commands and will only let them include files from the sdk or their own directory.

 

However, commands like fopen and chown that are limited by safe_mode dont work in the sdk functions as they are being included and executed in the developers directory - not the sdk directory.

 

Is there away to allow the sdk functions to use these limited commands but not the developers code?

 

Any thoughts?

 

 

[ignace]

Apparently I was wrong. fopen() does not get disabled but gets limited, to be more precise:

 

Checks whether the directory in which the script is operating has the same UID (owner) as the script that is being executed

 

A full listing can be found here:

http://www.php.net/manual/en/features.safe-mode.functions.php