Hi, On Thu, 24 Nov 2005 09:11:53 -0800 Rasmus Lerdorf <[EMAIL PROTECTED]> wrote:
> > I'm not looking for any near-safe_mode-substitution. I'm more > > concerned about the deployment of PHP6 at shared hosts. > These shared hosts really should be using open_basedir. We have > confused them by having both directives, and I see some even enable both > safe_mode and open_basedir on top of each other which doesn't make much > sense. Well, safe_mode could prevent someone of doing a shell_exec("cat /home/otheruser/web/config.php"); open_basedir can't do the same thing. Even if open_basedir could restrict the location of the called executable people could still upload a binary to their own directory. That's the part I liked about safe_mode. Not the words "safe", but the grouping of exec-like functions into one setting. A new php user might not know all the different kinds of exec-functions thus it would be easier to forget one or two functions when blacklisting a bunch of functions that were able to run executables. I still think it would be nice with a "best practice for shared hosts" page, maybe under the security section of the manual. Currently the part about Filesystem Security mainly looks into script based security and not configuration based security. The part about "Installed as an Apache Module" just suggests that open_basedir itself will restrict access to specific directories, but users could still run executables, circumventing this restriction. So, what would the "best practice" recommendation be? - open_basedir restriction plus disable exec+passthru+proc_open+shell_exec+system+popen+pcntl_exec(+dl)? - jail users into hell? - or something third? > Shared hosts really should be setting an open_basedir on a > per-vhost basis. This will fix file uploads and a number of other > issues and is every bit as safe (or unsafe depending on how you look at > it) as safe_mode. Yeah, my though was just to help automate this process. Of course the larger web service providers would have automated their virtual host generation and Apache2 users might just use mod_macro. Personally I feel it kind of redundant to specify the users document_root as their open_basedir value (although other might want to allow one level up giving users a possibility of putting variables out of web scope - this is besides the point though). -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php