Yes, this is what I'm talking about. Now is the time to do this
before some distribution of Linux or whatnot includes a version of PHP 6
that would not have this feature.
I'm sorry I can't code very well in C. But I'd be willing to write
documentation or a migration guide or something. Jus
On Mon, 5 Nov 2007 17:12:03 +, in php.internals [EMAIL PROTECTED]
(Mark Krenz) wrote:
> See what I'm getting at? File ownership checking is just one part of
>safe mode, exec dir restrictions are another major part. If you remove
>this, it will open up a whole can of worms.
It has earlier b
>
> > Unless there is some other way in PHP of restricting where you can run
> > programs from (can't find any),
>
> Why PHP needs to do that ? isnt that part of OS level security ?
There are those of us in shared environments where scripts can't be
run as a single user because the content is ow
On Mon, Nov 05, 2007 at 07:02:05PM GMT, Alexey Zakhlestin [EMAIL PROTECTED]
said the following:
> Did you just ignore the part about fastcgi?
>
No I didn't, I just feel that fastcgi/suexec/mod_suphp doesn't handle
all of the ready to run programs out there completely. Besides that, the
whole po
Did you just ignore the part about fastcgi?
On 11/5/07, Mark Krenz <[EMAIL PROTECTED]> wrote:
> On Mon, Nov 05, 2007 at 06:35:50PM GMT, Alexey Zakhlestin [EMAIL PROTECTED]
> said the following:
> >
> > That's how textdrive/joyent do this and they are more than happy with
> > this approach.
> >
>
That's obvious and I do offer that. But what about users in a shared
environment? There has to be a way to have cheaper accounts for people
and the way to do that is to put a couple hundred of them on a machine.
It'd be pretty easy to run a copy of Apache for each user on their own
port
That's obvious and I do offer that. But what about users in a shared
environment? There has to be a way to have cheaper accounts for people
and the way to do that is to put a couple hundred of them on a machine.
On Mon, Nov 05, 2007 at 06:42:35PM GMT, Michael McGlothlin [EMAIL PROTECTED]
sai
On Mon, Nov 05, 2007 at 06:35:50PM GMT, Alexey Zakhlestin [EMAIL PROTECTED]
said the following:
>
> That's how textdrive/joyent do this and they are more than happy with
> this approach.
>
Oh really? Read the section on Joyent/Textdrive here:
http://suso.suso.org/xulu/Web_hosting_providers_
Much easier and better to just throw every user their own virtual
machine. They can go wild and you don't have to worry. Makes it easy to
control how much CPU, RAM, and hdd the user is using too.
--
Michael McGlothlin
Southwest Plumbing Supply
--
PHP Internals - PHP Runtime Development Mailing
On Mon, Nov 05, 2007 at 05:28:07PM GMT, Cristian Rodriguez [EMAIL PROTECTED]
said the following:
>
> safe_mode does not really resist any analysis, whoever convinced you
> that it is a good thing does not have a clue.
>
I've done the analysis, so you're saying that I don't have a clue. I
don
On 11/5/07, Mark Krenz <[EMAIL PROTECTED]> wrote:
> Some people say to run Apache in a chroot jail, but I think that's
> unreasonable and a lot of people aren't going to do that or know how to
> do that properly. Besides, am I really going to run 200+ instances of
> Apache? That seems unreasona
2007/11/5, Mark Krenz <[EMAIL PROTECTED]>:
> Unless there is some other way in PHP of restricting where you can run
> programs from (can't find any),
Why PHP needs to do that ? isnt that part of OS level security ?
>this is going to become a major problem.
This is going to **solve** a major p
Well, I'm sorry to wait so long to repond back to this. I picked the
wrong week/month to start this discussion as I didn't have the time to
follow up on it. Now I kinda do.
A lot of good and bad (IMHO) points were raised about PHP security in
this thread. I am concerned about any one of my
On Sun, 26 Aug 2007 22:59:16 -0700, in php.internals
[EMAIL PROTECTED] (Rasmus Lerdorf) wrote:
> As PHP grew
>and became more complex and linked in more complex libraries, it became
>completely impossible to even begin to pretend that safemode was still
>effective.
1½ year ago we talked about un
On 8/26/07, Mark Krenz <[EMAIL PROTECTED]> wrote:
> No, this is the wrong way to approach the problem.
No, this is the right way, language level security does not replace OS
level security.
> I'm bringing it up because its something that
> needs to be fixed in PHP.
No, fixing this issue in PH
Mark Krenz wrote:
> ??? What do you mean? I talked with Ryan Bloom about this at Apache
> Con 2000 and he said that with Apache 2.0, modules would be able to run
> code with the permissions of the user assigned to each vhost. I asked
> about the prospect of PHP being able to utilize this and h
Really? Take anything that runs through CGI. I can turn on suexec
for it and it will function the same plus it will run as the user and
that gives me more benefits. But the architecture of how it runs is
100% secure, putting aside any vulnerabilities in the code that come up.
It's what I ca
On Sun, Aug 26, 2007 at 09:15:54PM GMT, Stanislav Malyshev [EMAIL PROTECTED]
said the following:
> No more and no less than any other scripting language, I'd say. And the
> reason for that - it should be done on the OS level, not on the language
> level. OS possesses the capability and created w
On 8/26/07, Mark Krenz <[EMAIL PROTECTED]> wrote:
> So what is the plan for increasing the security of PHP rather than
> decreasing it?
The plan is probably increasing the security of PHP, and removing
safe_mode is an step to do that, false sense of security is worst than
no security at all, un
On 8/26/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
>
> First make sure you understand what safe_mode does, and doesn't do,
> and just how lame it is at what it tried to do, and fails to do, and
> simply cannot do.
I am all for the removal of safe mode in php. I use safe_mode now,
but I patch it
On Sun, August 26, 2007 2:31 pm, Mark Krenz wrote:
> First of all I don't want this to sound like a personal attack, its
> professional. I just encountered something that really aggrevates me
> about the state of PHP and I want to be heard by the developers.
First make sure you understand what
and read the notes on safe_mode and open_basedir. PHP as is, is a real
pain in the ass to lock down completely and it always has been. In fact,
I'd venture to say that its impossible. And believe me when I say that
No more and no less than any other scripting language, I'd say. And the
reason
First of all I don't want this to sound like a personal attack, its
professional. I just encountered something that really aggrevates me
about the state of PHP and I want to be heard by the developers.
I just read through this document,
http://www.php.net/~derick/meeting-notes.html
and
23 matches
Mail list logo
