Hi!
There are 2.5 possibilities that make sense.
a.) mod_suphp [Any volunteers to put that into debian tree??:-)] www.suphp.org
b.) Run php as cgi and attach she-bang (#!/path/to/pgp-cgi)
c.) Run php as cgi and teach the environment to treat .php files like binaries with the "binfmt" kernel module
Personally I did not decide wether to take a.) or c.) ...
Rgds, Andreas
Franz Georg KÃhler wrote:
On So, Jun 06, 2004 at 02:36:13 +0200, Robert Hensel <[EMAIL PROTECTED]> wrote:
Hi,
I came upon a strange problem when trying to list directory's in safe mode as a normal user. Of course I expected this not to work, because safe_mode disables the possibility of reading files that not belong to the owner of the PHP-file. However, it does not seem to check for directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning about safe_mode (as seen below) but then nicely lists the directory :(
This means any user can just browse through any dir. on my system. PHP obviously still obeys UNIX file permissions so i could tighten up those, and enable basedir restrictions and stuff, but it looks to me that this is just a (major) bug ?
Hello,
it is widely known that safe_mode is not really safe.
You might want to restrict access with open_basedir .
The most secure solution is still to install php's cgi executable in an suexec environment.
-- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331
http://www.net-lab.net
