Hi,
On Thu, 24 Nov 2005 09:11:53 -0800
Rasmus Lerdorf <[EMAIL PROTECTED]> wrote:
> > I'm not looking for any near-safe_mode-substitution. I'm more
> > concerned about the deployment of PHP6 at shared hosts.
> These shared hosts really should be using open_basedir. We have
> confused them by having both directives, and I see some even enable both
> safe_mode and open_basedir on top of each other which doesn't make much
> sense.
Well, safe_mode could prevent someone of doing a
shell_exec("cat /home/otheruser/web/config.php");
open_basedir can't do the same thing.
Even if open_basedir could restrict the location of the called
executable people could still upload a binary to their own directory.
That's the part I liked about safe_mode. Not the words "safe", but the
grouping of exec-like functions into one setting. A new php user might
not know all the different kinds of exec-functions thus it would be
easier to forget one or two functions when blacklisting a bunch of
functions that were able to run executables.
I still think it would be nice with a "best practice for shared hosts"
page, maybe under the security section of the manual. Currently the part
about Filesystem Security mainly looks into script based security and
not configuration based security. The part about "Installed as an Apache
Module" just suggests that open_basedir itself will restrict access to
specific directories, but users could still run executables,
circumventing this restriction.
So, what would the "best practice" recommendation be?
- open_basedir restriction plus disable
exec+passthru+proc_open+shell_exec+system+popen+pcntl_exec(+dl)?
- jail users into hell?
- or something third?
> Shared hosts really should be setting an open_basedir on a
> per-vhost basis. This will fix file uploads and a number of other
> issues and is every bit as safe (or unsafe depending on how you look at
> it) as safe_mode.
Yeah, my though was just to help automate this process. Of course the
larger web service providers would have automated their virtual host
generation and Apache2 users might just use mod_macro. Personally I feel
it kind of redundant to specify the users document_root as their open_basedir
value (although other might want to allow one level up giving users a
possibility of putting variables out of web scope - this is besides the
point though).
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
