I very much agree : ) -Jason
On Mon, 2002-05-13 at 03:42, veins wrote: > > He has a point in the sense that it's trivially easy to starve a PHP based > > web server from within, safe mode enabled or not. What you describe as > the > > automated way in which the web server will overcome this attack is not > > realistic - pretty quickly, the web server would hit the maximum number of > > children allowed, or (if improperly configured) run out of memory. > > This is not PHP related. A web server improperly configured would run out > of memory under a heavy load or with a CGI script. > > > Fact is, safe mode doesn't even attempt to guard against this. Not that I > > think it can be guarded against, even if we were trying to do it. And a > > direct derived fact is that PHP is not safe to allow untrusted users to > run > > code. > > I happen to think that allowing untrusted users to run PHP code is safer > than > allowing them to run a CGI script, even if PHP is not under safe_mode and > that CGI is chroot()-ed. > > > I personally don't think that this was the idea behind safe mode - the > idea > > behind safe mode was to guard against information leaking in between > users, > > not against some renegade user that wants to bring the web server > > down. And, I've been advocating the removal of safe mode for years, > > because even at that, it does a pretty bad job. Not because it's poorly > > implemented, but because it's protection in the wrong level, that by > > definition, is bound to fail. And, I think we all agree that a false > sense > > of security is worse than no security at all. > > I don't. I don't see safe_mode as a "false sense" of security, I see it as > another > layer to be used with other security mechanisms. I would surely not run a > web > server with safe_mode being the only security, but I would not even run PHP > without the safe_mode option. And many admins wouldn't... > > > Ilya illustrated what I was saying a while ago, about the inherent (woo, > > this word again! :) vulnerability of safe mode, by design. When I said > it, > > I didn't invest any resources into proving that this inherent > vulnerability > > is actually exploitable, he did. I believe that encouraging people to use > > CGI (and fast CGI as a performance solution) is probably the only way to > > go. And I agree with Stig that PHP 5.0 would be the right point in time > to > > do that. > > Encouraging people to use CGI is an utopia, there are environnements where > CGI cannot be "offered" to customers and where PHP is the only option. The > ability to use safe_mode (again, as another layer and not as the only > security) > is a nice option, I really strongly believe that it shouldn't be taken apart > from > PHP. > > veins > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
