OK, I have been messing with PHP for a while now, but still can't find a good answer to some of these questions: 1. In an ISP Multi-Hosted environment, is it better to run the CGI or Module versions of PHP? I understand that running in CGI mode will allow me to use the Apache module suExec to wrap all of my scripts for each of my different websites, effectively locking them down to whatever their permissions are. However, this results in a huge performance hit. 2. Is it recommended that safe_mode should always be on? Without it, users can execute system() calls and file commands with limited permission checking, and as my network is a shared hosting platform, not dedicated virtual servers with their own chrooted services and IPs, these functions can not be allowed. 3. Running the module version of PHP with safe_mode on results in a relatively secure environment, however, to create new files and/or directories, etc., etc., the web server (Apache) must be the same owner as the root directory you are trying to create files in. This is great, except now, all my users MUST have files with the same owner permissions, resulting in a bigger risk of one user finding a way to attack another. Does anyone know of another way to do this? 4. I have set open_basedir to a ".", basically stating that PHP scripts can only open files in their current directory, or any child directory, as long as the conditions of #3 above are met. The only real resolution, to allow a user to open ANY file in their directory, is to put the actual directory in the PHP.ini file, such as "/home/domains/www.domain.dom:80/htdocs". When dealing with potentially thousands of domains, this becomes a hassle. What I really need is to be able to enter "/home/domains/*/htdocs". Anyone found any solutions or workarounds to THIS problem yet? Thanks for reading this post, and any help would be greatly appreciated. I am very excited about offering PHP to our hosting customers, but don't want to do so at the expense of huge administration overhead, greatly reduced security for either our servers or customer content. Ideally, I would like to set up each user directory with their own user/group permissions, and have suExec recognize thisfor CGI access (other than PHP), and all reasonable file functions for PHP to work within their user space without removing any functionality to any specific functions in the Apache module. Dennis Youngblood Web-Hosting Adminsitrator ProWeb Publishing / ProWeb Server 916.722.8787 [EMAIL PROTECTED] www.prowebserver.org [EMAIL PROTECTED] www.prowebpublishing.com -- PHP Install Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
