[imp] Safe Mode

[Eric Rostetter]

Quoting Caylan Van Larson <caylan at aero.und.edu>:

> > Always a dangerous combination.  Make sure you check everything for
> > access restrictions, like where you save php session files, php
> > uploaded
> > files, etc.  I don't allow logins to my Horde server just because of
> > such
> > reasons.
>
> Nor do I Eric.  This server processes ~/<username> requests from a
> mod_rewrite rule from our main non-student accessible server.  AFAIK,

Yeah, I kind of mispoke there.  I meant to say, I don't allow user cgi,
user server side includes, or user scripting of any sort on the
server ;)  In other words, no users have access to put files on the
machine, and no user web pages exist on the server.

> suexec, cgiwrap or sbox  that effectively chroots user processes
> protects the server from cgi scripts.  However, when php is thrown in
> (that is not protected with suexec/cgi-wrapper) how do you chmod the
> php.ini file so users can not read it using php (which runs as the www
> user)?  Isn't that why safe_mode was created?

Like I said, in your situation (user pages on the same server) safe_mode
is a very good thing.  I avoid safe mode by not allowing users to any
kind of cgi/ssi/scripting on the machine.

> > While your reason for putting safe_mode on was completely bogus
>
> Am I missing something or did you just have a bad day?

No, your reason was bogus.  But doing so was a smart thing, for other
reasons, in your case.  I totally think you should be running safe mode,
but not for the reason you stated.

> Caylan

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!