Am 17.08.2011 14:25, schrieb Pierre Joye: > hi, > > On Wed, Aug 17, 2011 at 2:13 PM, Reindl Harald <h.rei...@thelounge.net> wrote: > >> defaults on all servers i maintain since 10 years >> "popen" is disabled per vhost with "php_admin_value >> suhosin.executor.func.blacklist" >> since "disable_functions" is to dumb working on <Diretory>-directive >> >> disable_functions = "exec, passthru, shell_exec, system, proc_open, >> proc_close, proc_nice, proc_terminate, >> proc_get_status, pcntl_exec, apache_child_terminate, posix_kill, >> posix_mkfifo, posix_setpgid, posix_setsid, >> posix_setuid, mail, symlink" > > symlink is not disabled in most ISPs I work with or used (and that's > quite a lot).
most setups out there are unsecure as hell this is no reason to ignore proper configured > Besides the arguments already stated in the bug report, there is no > chance that we will change this. All past attempts to "optimize" > open_basedir (and before safemode) has ended as shooting ourselves in > the knees. if "realpath_cache" would be a little smarter and include a hash on the open_basedir there would be nothing to change on open_basedir side > It is still too slow for your needs? Don't use it and rely > on system's solutions (or web server, like on IIS or many fastcgis). > It sounds bad but that's how it is the point is that "realpath_cache" is simply useless show me one well thought setup without open_basedir and after that think about your definition of "well thought" if you think you found one - even with fastcgi and sepearted users there should never be any access outside the docroot possible so if "realpath_cache" will not be fixed in combination with "open_basedir" it can be totally removed also for the handful of non-shared hosts
signature.asc
Description: OpenPGP digital signature