Jason, He has a point in the sense that it's trivially easy to starve a PHP based web server from within, safe mode enabled or not. What you describe as the automated way in which the web server will overcome this attack is not realistic - pretty quickly, the web server would hit the maximum number of children allowed, or (if improperly configured) run out of memory.
Fact is, safe mode doesn't even attempt to guard against this. Not that I think it can be guarded against, even if we were trying to do it. And a direct derived fact is that PHP is not safe to allow untrusted users to run code. I personally don't think that this was the idea behind safe mode - the idea behind safe mode was to guard against information leaking in between users, not against some renegade user that wants to bring the web server down. And, I've been advocating the removal of safe mode for years, because even at that, it does a pretty bad job. Not because it's poorly implemented, but because it's protection in the wrong level, that by definition, is bound to fail. And, I think we all agree that a false sense of security is worse than no security at all. Ilya illustrated what I was saying a while ago, about the inherent (woo, this word again! :) vulnerability of safe mode, by design. When I said it, I didn't invest any resources into proving that this inherent vulnerability is actually exploitable, he did. I believe that encouraging people to use CGI (and fast CGI as a performance solution) is probably the only way to go. And I agree with Stig that PHP 5.0 would be the right point in time to do that. Zeev At 08:54 13/05/2002, Jason Greene wrote: >On Mon, 2002-05-13 at 00:41, Ilia A. wrote: > > > disable_functions = sleep > > > > Ah but you forgot usleep, and flock() and socket_set_limit etc... > > Soon enough you'll disable every function. > >Not likely, and I wouldn't disable every single function. You complained >about the ability, I provided you with the way that YOU can disable it. >You have to ask yourself why your user would need to be able to call >sleep > > > And when you do, I'll still be able to deadlock a PHP process by making it > > excute a query on a locked SQL table, thus end up waiting forever for the > > lock to be >e>leased. So, you'll need to disable all database functions from > > your PHP. > > > >Now you are really starting to stretch it. I am sure the ratio of >customers that have db backends are much smaller than general webhosting >customers > >In all of these scenarios, the webserver itself would just spawn another >process, and the os would page the other one because it is not in use, >and then eventually the webserver would log the problem. > >If you factor that in with a shared environment with multiple webservers >and a load balance, your risk is pretty low. Even if someone did do >something like that to kill all of your webservers, you would easily be >able to find out who did it, and fix the abuser. > > > > > > > > > > The argument you make to remove safe mode because it is not > perfect > > > > > > > is unfounded. By the same argument you could say we shouldn't use > > > > > > > locks on our doors, because hey "they can be picked". > > > > > > > > > > > > Safe mode is not only imperfect it does not even work properly. In > > > > > > the last day and a half I've showed 5 bugs that allow it be > bypassed, > > > > > > simply take a look at the latest safe_mode bugs. > > > > > > > > > > Five, I only saw one. Regardless they can and should be fixed. > > > > > > > > Check again: > > > > > > > > Bug report #17168-69 > > > > Bug report #17155-57 > > > > > > All of those regarding safe mode are fixed now. > > > > Really, you don't say... bug reports #17168-69 are still open at the > time of > > this message being written. And when they are closed, don't worry I'll > have a > > few more posted tommorow for your enjoyment... > > > > > It depends on why the lock is broken, you have been suggesting this > > > whole time that safe mode is a DESIGN flaw. However, your reasoning is > > > only BUILD flaws. I have yet to hear a single reason as to why the > > > concept of extra uid, checks of files is a bad thing. > > > > It is not PHPs job as a scripting/programming language to do security. > > security should/must be done at the OS and web server level. Checking > uid is > > STUPID, the simplest example, is that if you upload a php script and it > > creates a file you can no longer read or write to that file even though > you > > have file permissions to do so. > > File system permissions exist for a reason, use them. > >how are you planning on protecting your passwd file then? > > > If you have sensetive data, like credit card information and you are > not using > > a dedicated server to store that data then do be surprised to find your > data > > in someone elses hands. In a shared enviroment especially where > > programming/scripting languages are avaliable it is merely a matter of > time > > before someone takes advantage of some security hole/oversight and > grabs the > > hold of your data. > > >So then you are agreeing : ) > > > > There are problems here and you can be a bit more constructive, and send > > > patches, offer new security techniques, report bugs. Exaggerating and > > > cursing safe mode does nothing but waste time. > > > > I am clearly demonstrating the problem and if you actually payed attention > > instead of trying to pretend this problem did not exist, > >I am not, I am merely disagreeing that safe mode should be removed. I >mean god man, if you hate safe mode so much turn it off. There are >options you know, but just because you don't like it does not mean that >everyone should not be able to use it. > > reporting bugs about > > it. I'd gladly offer a patch that will get rid off safe_mode for the > core php > > tree if developers are willing to add it to the CVS :) > >Or you could try something more useful, like fixing a bug in safe mode, >adding a new security feature, etc. etc. However, I suppose it is too >difficult to come up with a constructive solution. > > Safe mode wasteful and pointless this is no exageratio,n it makes > development > > in the "safe" enviroment pointlessly difficult and offers no real safety. > > > > Ilia >Hmm, but you just said that a shared webhosting enviroment, by nature, >has no real safety. > >Pointlesly difficult..... >then safe mode must be doing something.... > > > > > >-- >PHP Development Mailing List <http://www.php.net/> >To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
