Am 17.08.2011 13:14, schrieb Pierre Joye: > On Tue, Aug 16, 2011 at 11:29 PM, Reindl Harald <h.rei...@thelounge.net> > wrote: >> Hi >> >> https://bugs.php.net/bug.php?id=52312 >> >> does the security-problem in combination with open_basedir only >> occur if there are symlinks created? >> >> * i guess in most secure setups "symlink" is disabled > > For what I can see, almost no setup disables the symlink functions in > php, even less in the shell.
defaults on all servers i maintain since 10 years "popen" is disabled per vhost with "php_admin_value suhosin.executor.func.blacklist" since "disable_functions" is to dumb working on <Diretory>-directive disable_functions = "exec, passthru, shell_exec, system, proc_open, proc_close, proc_nice, proc_terminate, proc_get_status, pcntl_exec, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, mail, symlink" >> * give us a option to bypass the check in such environments > > Well, there are other better ways to control access than relying on > open_basedir. Permissions are on, that's why I would not add special > cases here if you are hosting some hundret domains there are not really better ways since you will not add hundrets of system-users while you have to deal with FTP/SFTP and exactly these setups for some hundret domains would benefit most of the realpath-cache
signature.asc
Description: OpenPGP digital signature
