On Sun, 3 Jun 2007, Tomasz Pala wrote: > I was considering a bug in any of shipped webapps. Even though the > server can be safe_mode enabled
...which will be droped in future php releases :) safe_mode is considered to be obsolete in PHP. > there is possibility to read information that should remain > confidential, like valuable for spammers users list from passwd. I leave > other restrictions out deliberately, as ACLs, open_basedir etc. are not > part of our default policy. I see that you have started implementing open_basedir and I think that we should follow this way. Any restrictions, even very wide by default, would be nice. > Currently system-wide package creates bigger threat than any user > script, no matter how the environment IS secured (safe_mode, suexec PHP > as CGI etc.). Shouldn't we change default root:root owner to some > webapps:webapps? What will it give us? I don't get the point in this moment... -- pozdr. Pawel Golaszewski jid:blues<at>jabber<dot>gda<dot>pl -------------------------------------------------------------------------- If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby Pro-Logic Surround Sound with Bass Boost and all the music is free. _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en