PHP's Safe Mode attempts to provide a degree of basic security in a shared environment, where multiple user accounts exist on a PHP-enabled web server.
When a web server is running PHP in Safe Mode, some functions are disabled completely, and others are available with limited functionality.
Restrictions Enforced by Safe Mode
Functions that attempt to access the filesystem have restricted functionality in Safe Mode. The web server process runs under the same user ID for all web space accounts and must have the appropriate read or write permission to access a file. This is a requirement of the underlying operating system and has nothing to do with PHP itself.
When Safe Mode is enabled and an attempt is made to read or write a local file, PHP checks whether file ownership of the script is the same as that of the target file. If the owner differs, the operation is prohibited.
The following core filesystem functions are restricted by this rule:
Functions that are part of PHP extensions that also access the filesystem are similarly affected.
Functions that execute host programs are disabled unless they are run from the directory given in the safe_mode_exec_dir directive, which you will learn about in the next section. Even if execution is allowed, arguments to the commands are automatically passed to the escapeshellcmd function.
The following program execution functions are affected by this rule:
In addition, the backtick operator (`) is disabled.
The putenv function has no effect when run in Safe Mode, although no error is produced. Similarly, other functions that attempt to change the PHP environment, such as set_time_limit and set_include_path, are ignored.
Enabling Safe Mode
You turn Safe Mode on or off by using the safe_mode directive in php.ini. To activate Safe Mode for all users on a shared web server, you use the following directive:
safe_mode = On
As you learned in the previous section, functions that access the filesystem perform a check on the owner of the file. By default, the check is performed on the file owner's user ID, but you can relax this to check the owner's group ID (GID) instead by turning on the safe_mode_gid directive.
If you have shared library files on your system, you can use the safe_mode_include_dir directive to get a list of locations for which the UID/GID check will not be performed when an include or require statement is encountered.
To allow inclusion of files in /usr/local/include/php for any user in Safe Mode, you would use the following directive:
safe_mode_include_dir = /usr/local/include/php
To provide a location from which the system can be executed, you use the safe_mode_exec_dir directive.
To allow programs in /usr/local/php-bin to be executed in Safe Mode, you would use the following directive:
safe_mode_exec_dir = /usr/local/php-bin
To allow setting of certain environment variables, you use the safe_mode_allowed_env_vars directive. The value given is a prefix, and by default it allows only environment variables that begin with PHP_ to be changed. If more than one value is given, the list should be separated by commas.
The following directive also allows the time zone environment variable, TZ, to be changed:
safe_mode_allowed_env_vars = PHP_,TZ