[horde] calls to popen()

Ralf Lang lang at b1-systems.de
Sun Feb 12 08:14:56 UTC 2012

>> SUHOSIN is that piece of software which blocked the some days
>> ago fixed remote-security-bug in PHP and many thousands generic
>> attacks in the last years and has nothing to do with safe_mode
>> also php has builtin "disable_functions" (but not per-site) what has
>> also NOTHING to do with safe_mode - so please stop to explain people
>> the world without having any education in security-topics
>> php_admin_value suhosin.executor.func.blacklist "popen, pclose, exec,
>> passthru, shell_exec, system, proc_open,
>> proc_close, proc_nice, proc_terminate, proc_get_status, pcntl_exec,
>> apache_child_terminate, posix_kill,
>> posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, mail, symlink"
> Nobody forces you to use PGP functionality, or *any* functionality that
> uses proc_open etc, in Horde if you are paranoid. It's your choice.
> There is no alternative.
> Jan.

A shared hosting environment which bases its security on the assumption 
that the scripting stack (PHP, python, perl-cgi) limits itself and does 
not allow scripts harmful behaviour is broken anyway. the www user and 
the files in its domain should not be able to run "dangerous" commands, 
touch files it shouldn't have access to and should have resource 
restrictions via cgroups. This has to be ensured below the scripting 
stack and is no matter of php.

More information about the horde mailing list