On Wed, 3 Mar 2004, joel boonstra wrote: > On Wed, Mar 03, 2004 at 08:39:06AM -0500, Chris wrote: > > One final comment. It seems there was some motivation, by the PHP creators, > > to institute safe mode as a fix to potential security abuses. If that was > > the case, why weren't the underlying problems be removed or remedied as > > opposed to letting PHP admins make the call? > > To remove the underlying problem, changes in Apache would have to be > made. The problem is that mod_php (not necessarily PHP as CGI) runs as > the same user that Apache runs as. There is nothing PHP developers can > do about that. This means (assuming mod_php) that when your hosted > website runs a PHP script, and another website hosted by the same > company runs a PHP script, both scripts are running as the same > username. This opens any number of potential for malicious or > accidental access to others files. Additionally, all system calls will > be called as the same user, so the server's built-in mechanisms for > determining user permissions are useless. > > One solution is to run PHP as CGI and use suexec to cause PHP scripts to > be run as specific usernames. However, there are speed and integration > advantages to running as mod_php, so using CGI isn't necessarily the > best solution. > > The other is to use safe mode, which does what it can to help solve > security concerns by relying on file permissions to determine what can > accessed, and by restricting things like system calls that are too > potentially harmful. It's not the right way to solve the problem (as > they mention on the safe mode page), but solving at the Apache level[1] > may or may not be viable. > > Safe mode is not necessarily appropriate for all situations; on personal > servers, or single-user websites, it can be too restrictive. However, > for hosting companies, as others have said, not using it has the > potential to make your customers very unhappy when someone else's > poorly-coded script starts wreaking havoc. > > [1] Apache 2's "perchild" MPM looks interesting: > > http://httpd.apache.org/docs-2.0/mod/perchild.html > > When it's functional, I'm not sure if it will eliminate the need for > safe mode or not. It still appears that for large hosts, managing the > UIDs might be difficult. I'm by no means an apache admin, but if my > hosting company has 300 vhosts, it seems like you'd have to start at > least that many servers, and that only one instance will be tied to a > vhost (so if one vhost is getting lots of traffic, and one is getting > only a little, there won't be spare servers around to balance things > out). I'm basing that all on what I read at Apache's site, so I may > well be wrong.
That was a very good summary. ;) -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
