On Wed, Mar 03, 2004 at 08:39:06AM -0500, Chris wrote: > One final comment. It seems there was some motivation, by the PHP creators, > to institute safe mode as a fix to potential security abuses. If that was > the case, why weren't the underlying problems be removed or remedied as > opposed to letting PHP admins make the call?
To remove the underlying problem, changes in Apache would have to be made. The problem is that mod_php (not necessarily PHP as CGI) runs as the same user that Apache runs as. There is nothing PHP developers can do about that. This means (assuming mod_php) that when your hosted website runs a PHP script, and another website hosted by the same company runs a PHP script, both scripts are running as the same username. This opens any number of potential for malicious or accidental access to others files. Additionally, all system calls will be called as the same user, so the server's built-in mechanisms for determining user permissions are useless. One solution is to run PHP as CGI and use suexec to cause PHP scripts to be run as specific usernames. However, there are speed and integration advantages to running as mod_php, so using CGI isn't necessarily the best solution. The other is to use safe mode, which does what it can to help solve security concerns by relying on file permissions to determine what can accessed, and by restricting things like system calls that are too potentially harmful. It's not the right way to solve the problem (as they mention on the safe mode page), but solving at the Apache level[1] may or may not be viable. Safe mode is not necessarily appropriate for all situations; on personal servers, or single-user websites, it can be too restrictive. However, for hosting companies, as others have said, not using it has the potential to make your customers very unhappy when someone else's poorly-coded script starts wreaking havoc. [1] Apache 2's "perchild" MPM looks interesting: http://httpd.apache.org/docs-2.0/mod/perchild.html When it's functional, I'm not sure if it will eliminate the need for safe mode or not. It still appears that for large hosts, managing the UIDs might be difficult. I'm by no means an apache admin, but if my hosting company has 300 vhosts, it seems like you'd have to start at least that many servers, and that only one instance will be tied to a vhost (so if one vhost is getting lots of traffic, and one is getting only a little, there won't be spare servers around to balance things out). I'm basing that all on what I read at Apache's site, so I may well be wrong. joel -- [ joel boonstra | gospelcom.net ] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
