Great. Thanks for confirming. ---- Yemi
On 5/24/04 4:49 PM, "Matt Massie" <[EMAIL PROTECTED]> wrote: > yemi- > > you shouldn't have any problem running in safe mode.. except that you > will need to explicitly state the path to the rrdtool binary in the > "safe" configuration. otherwise, php will not allow it to be run. (i > can't remember exactly how that is done but i've seen it bounced around > the list). > > as you say, we don't rely on register_globals. that security concern > isn't an issue with ganglia. > > -matt > > On Mon, 2004-05-24 at 16:41, Adesanya, Adeyemi wrote: >> Hi Brooks. >> >> After reading up on www.php.net , I have learned a little more. One of my >> colleagues expressed concerns about php because of possible automatic >> conversion of PHP forms to global variables. >> >> Here's an excerpt from the PHP docs explaining the dangers: >> ----------------------------------------------------------------------------- >> ----------------------------------- >> For various reasons, PHP setups which rely on register_globals being on >> (i.e., on form, server and environment variables becoming a part of the >> global namespace, automatically) are very often exploitable to various >> degrees. For example, the piece of code: >> >> <?php >> if (authenticate_user()) { >> $authenticated = true; >> } >> ... >> ?> >> May be exploitable, as remote users can simply pass on 'authenticated' as a >> form variable, and then even if authenticate_user() returns false, >> $authenticated will actually be set to true. While this looks like a simple >> example, in reality, quite a few PHP applications ended up being exploitable >> by things related to this misfeature. >> >> ----------------------------------------------------------------------------- >> ------------------------------------ >> >> Well, the good news is I believe that the Ganglia web frontend does not >> require register_globals to be turned on. Local variables are initialized >> using PHP predefined arrays such as $HTTP_GET_VARS and the web page that >> displays the php module configuration (info.php) appears to confirm that in >> our case, register_globals is turned off. Next step is to try safe_mode ..... >> >> >> ---- >> Yemi >> >>> -----Original Message----- >>> From: Brooks Davis [mailto:[EMAIL PROTECTED] >>> Sent: Monday, May 24, 2004 10:51 AM >>> To: Adesanya, Adeyemi >>> Cc: 'ganglia-general@lists.sourceforge.net' >>> Subject: Re: [Ganglia-general] PHP security concerns? >>> >>> On Mon, May 24, 2004 at 10:18:35AM -0700, Adesanya, Adeyemi wrote: >>>> >>>> Hi There. >>>> >>>> Our Ganglia monitoring system has been growing in size and >>> popularity >>>> and we would like to increase it's visibility by serving >>> the frontend >>>> on a public web server. So far, the frontend has only been >>> accessible >>>> from within our intranet or via ssh tunnel. >>>> >>>> We are seeking approval from our web team who currently do >>> not enable >>>> PHP on public web servers due to security concerns. They >>> may however >>>> make an exception if the web pages can run under 'PHP >>> safe_mode'. Do >>>> you think their concerns are reasonable/justified? What >>> experience do >>>> we have running the web frontend in safe_mode? How much additional >>>> work (if any) is required??? >>> >>> There are two major issues with PHP. First, its default >>> security model means that everything runs as the webserver >>> user. That means PHP on a multiuser system is inadvisable. >>> Second, there's a lot of REALLY crappy PHP code out there. >>> One guy I know who works for an ISP says they clean up a >>> break-in at least once a week caused by bad PHP code. Most >>> of those are caused by idiots installing outdated code they >>> download from untrustworthy sites. >>> >>> I'm not sure what would be required to run Ganglia in safe mode. >>> >>> -- Brooks >>> >>> -- >>> Any statement of the form "X is the one, true Y" is FALSE. >>> PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 >>> >> >> >> ------------------------------------------------------- >> This SF.Net email is sponsored by: Oracle 10g >> Get certified on the hottest thing ever to hit the market... Oracle 10g. >> Take an Oracle 10g class now, and we'll give you the exam FREE. >> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click >> _______________________________________________ >> Ganglia-general mailing list >> Ganglia-general@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/ganglia-general