On Sun, Aug 26, 2007 at 09:15:54PM GMT, Stanislav Malyshev [EMAIL PROTECTED] said the following: > No more and no less than any other scripting language, I'd say. And the > reason for that - it should be done on the OS level, not on the language > level. OS possesses the capability and created with exactly this purpose.
Really? Take anything that runs through CGI. I can turn on suexec for it and it will function the same plus it will run as the user and that gives me more benefits. But the architecture of how it runs is 100% secure, putting aside any vulnerabilities in the code that come up. > Apache can't do much. OS should do it. Now, how to make OS do it there > you can have a number of solutions, starting with different user IDs and > up to using things like AppArmor and SELinux. No, this is the wrong way to approach the problem. With hundreds of users, all doing different things, there is a strong possibility that I'll have to maintain such SELinux or apparmor rules for each user's website. That's rediculous. A secure server should be something that is easy to accomplish, not difficult, lest you will have a situation where the majority of sysadmins would rather just leave it insecure than figure out the complexities of something like selinux. I'm not just bringing this up for me, I'm bringing it up because its something that needs to be fixed in PHP. I didn't fight this fight before because I figured, there are a lot smarter people out there closer to the PHP team that would bring these issues up. But appearently not. I can't believe this is still an issue as of PHP 6. I started using PHP at version 2. > Removing safe_mode is recognition of un-feasibility of solving this > problem in PHP context. PHP uses dozens of external libraries, which are > very hard to control on the level of PHP. Because of that, PHP is not on > the level which is necessary to provide user-based security - it's too > high-level. No more high-level than Perl. What's the difference? The real problem stems from PHP being TOO configurable. This led to people turning things on and off over the years and thinking certain things were good and bad. I think its generally a bad idea to make a programming language configurable. PHP takes it to an extreme. So you wind up with people saying "Just do this and you'll be fine" and others getting into religious wars over whether things like magic quotes are good or bad. A programming language should not be configurable, it should be standardized so that people can be sure that programs run consistently for all people that run them. > Having security solution that works in 90% of the code is no better than > not having any. Actually, it's worse since some people may mistakenly > rely on that 90% as if it were 100% and thus neglect to look at the real > security solutions, leaving the system as vulnerable as if they had no > security at all. Well that's what we seem to have. Its more like 50% acting like 100%. This is off topic but I recently did a security investigation of Dreamhost and their security practices where rediculous. And they say on their website that they are "protected by ninjas". Obviously there are a lot of web hosting companies out there that don't care. But I'm one of the ones from the 90s that cares greatly about security. I know there are hackers knocking on the door all the time and some of them can overcome trivial vulerabilities. Beyond that, users should never be able to read other user's data. Heck, while writing this a user wrote me about their wordpress site being hacked. Now that may have been a Wordpress known vulnerability, but it doesn't matter, without safe_mode on, it could have been worse. > >decreasing it? I've been waiting since Apache 2.0 (7 years now) for PHP > >to take advantage of things Apache 2.0 offers in terms of being able to > >let modules run as the user, but I've seen nothing in this regard. > > Unfortunately, Apache never really supported running multipe-user > servers on single Apache instance. ??? What do you mean? I talked with Ryan Bloom about this at Apache Con 2000 and he said that with Apache 2.0, modules would be able to run code with the permissions of the user assigned to each vhost. I asked about the prospect of PHP being able to utilize this and he said its possible, but I got the impression that the PHP devs where not interested. -- Mark S. Krenz IT Director Suso Technology Services, Inc. http://suso.org/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
