Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Mark Krenz
Yes, this is what I'm talking about. Now is the time to do this before some distribution of Linux or whatnot includes a version of PHP 6 that would not have this feature. I'm sorry I can't code very well in C. But I'd be willing to write documentation or a migration guide or something. Jus

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Peter Brodersen
On Mon, 5 Nov 2007 17:12:03 +, in php.internals [EMAIL PROTECTED] (Mark Krenz) wrote: > See what I'm getting at? File ownership checking is just one part of >safe mode, exec dir restrictions are another major part. If you remove >this, it will open up a whole can of worms. It has earlier b

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Nate Gordon
> > > Unless there is some other way in PHP of restricting where you can run > > programs from (can't find any), > > Why PHP needs to do that ? isnt that part of OS level security ? There are those of us in shared environments where scripts can't be run as a single user because the content is ow

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Mark Krenz
On Mon, Nov 05, 2007 at 07:02:05PM GMT, Alexey Zakhlestin [EMAIL PROTECTED] said the following: > Did you just ignore the part about fastcgi? > No I didn't, I just feel that fastcgi/suexec/mod_suphp doesn't handle all of the ready to run programs out there completely. Besides that, the whole po

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Alexey Zakhlestin
Did you just ignore the part about fastcgi? On 11/5/07, Mark Krenz <[EMAIL PROTECTED]> wrote: > On Mon, Nov 05, 2007 at 06:35:50PM GMT, Alexey Zakhlestin [EMAIL PROTECTED] > said the following: > > > > That's how textdrive/joyent do this and they are more than happy with > > this approach. > > >

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Michael McGlothlin
That's obvious and I do offer that. But what about users in a shared environment? There has to be a way to have cheaper accounts for people and the way to do that is to put a couple hundred of them on a machine. It'd be pretty easy to run a copy of Apache for each user on their own port

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Mark Krenz
That's obvious and I do offer that. But what about users in a shared environment? There has to be a way to have cheaper accounts for people and the way to do that is to put a couple hundred of them on a machine. On Mon, Nov 05, 2007 at 06:42:35PM GMT, Michael McGlothlin [EMAIL PROTECTED] sai

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Mark Krenz
On Mon, Nov 05, 2007 at 06:35:50PM GMT, Alexey Zakhlestin [EMAIL PROTECTED] said the following: > > That's how textdrive/joyent do this and they are more than happy with > this approach. > Oh really? Read the section on Joyent/Textdrive here: http://suso.suso.org/xulu/Web_hosting_providers_

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Michael McGlothlin
Much easier and better to just throw every user their own virtual machine. They can go wild and you don't have to worry. Makes it easy to control how much CPU, RAM, and hdd the user is using too. -- Michael McGlothlin Southwest Plumbing Supply -- PHP Internals - PHP Runtime Development Mailing

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Mark Krenz
On Mon, Nov 05, 2007 at 05:28:07PM GMT, Cristian Rodriguez [EMAIL PROTECTED] said the following: > > safe_mode does not really resist any analysis, whoever convinced you > that it is a good thing does not have a clue. > I've done the analysis, so you're saying that I don't have a clue. I don

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Alexey Zakhlestin
On 11/5/07, Mark Krenz <[EMAIL PROTECTED]> wrote: > Some people say to run Apache in a chroot jail, but I think that's > unreasonable and a lot of people aren't going to do that or know how to > do that properly. Besides, am I really going to run 200+ instances of > Apache? That seems unreasona

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Cristian Rodriguez
2007/11/5, Mark Krenz <[EMAIL PROTECTED]>: > Unless there is some other way in PHP of restricting where you can run > programs from (can't find any), Why PHP needs to do that ? isnt that part of OS level security ? >this is going to become a major problem. This is going to **solve** a major p

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-11-05 Thread Mark Krenz
Well, I'm sorry to wait so long to repond back to this. I picked the wrong week/month to start this discussion as I didn't have the time to follow up on it. Now I kinda do. A lot of good and bad (IMHO) points were raised about PHP security in this thread. I am concerned about any one of my

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-09-02 Thread Peter Brodersen
On Sun, 26 Aug 2007 22:59:16 -0700, in php.internals [EMAIL PROTECTED] (Rasmus Lerdorf) wrote: > As PHP grew >and became more complex and linked in more complex libraries, it became >completely impossible to even begin to pretend that safemode was still >effective. 1½ year ago we talked about un

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-08-26 Thread Cristian Rodriguez
On 8/26/07, Mark Krenz <[EMAIL PROTECTED]> wrote: > No, this is the wrong way to approach the problem. No, this is the right way, language level security does not replace OS level security. > I'm bringing it up because its something that > needs to be fixed in PHP. No, fixing this issue in PH

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-08-26 Thread Rasmus Lerdorf
Mark Krenz wrote: > ??? What do you mean? I talked with Ryan Bloom about this at Apache > Con 2000 and he said that with Apache 2.0, modules would be able to run > code with the permissions of the user assigned to each vhost. I asked > about the prospect of PHP being able to utilize this and h

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-08-26 Thread Stanislav Malyshev
Really? Take anything that runs through CGI. I can turn on suexec for it and it will function the same plus it will run as the user and that gives me more benefits. But the architecture of how it runs is 100% secure, putting aside any vulnerabilities in the code that come up. It's what I ca

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-08-26 Thread Mark Krenz
On Sun, Aug 26, 2007 at 09:15:54PM GMT, Stanislav Malyshev [EMAIL PROTECTED] said the following: > No more and no less than any other scripting language, I'd say. And the > reason for that - it should be done on the OS level, not on the language > level. OS possesses the capability and created w

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-08-26 Thread Cristian Rodriguez
On 8/26/07, Mark Krenz <[EMAIL PROTECTED]> wrote: > So what is the plan for increasing the security of PHP rather than > decreasing it? The plan is probably increasing the security of PHP, and removing safe_mode is an step to do that, false sense of security is worst than no security at all, un

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-08-26 Thread Nate Gordon
On 8/26/07, Richard Lynch <[EMAIL PROTECTED]> wrote: > > First make sure you understand what safe_mode does, and doesn't do, > and just how lame it is at what it tried to do, and fails to do, and > simply cannot do. I am all for the removal of safe mode in php. I use safe_mode now, but I patch it

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-08-26 Thread Richard Lynch
On Sun, August 26, 2007 2:31 pm, Mark Krenz wrote: > First of all I don't want this to sound like a personal attack, its > professional. I just encountered something that really aggrevates me > about the state of PHP and I want to be heard by the developers. First make sure you understand what

Re: [PHP-DEV] Safe mode being removed in PHP6?

2007-08-26 Thread Stanislav Malyshev
and read the notes on safe_mode and open_basedir. PHP as is, is a real pain in the ass to lock down completely and it always has been. In fact, I'd venture to say that its impossible. And believe me when I say that No more and no less than any other scripting language, I'd say. And the reason

[PHP-DEV] Safe mode being removed in PHP6?

2007-08-26 Thread Mark Krenz
First of all I don't want this to sound like a personal attack, its professional. I just encountered something that really aggrevates me about the state of PHP and I want to be heard by the developers. I just read through this document, http://www.php.net/~derick/meeting-notes.html and