[imp] Safe Mode
Eric Rostetter
eric.rostetter at physics.utexas.edu
Tue Sep 30 21:40:58 PDT 2003
Quoting Caylan Van Larson <caylan at aero.und.edu>:
> > Always a dangerous combination. Make sure you check everything for
> > access restrictions, like where you save php session files, php
> > uploaded
> > files, etc. I don't allow logins to my Horde server just because of
> > such
> > reasons.
>
> Nor do I Eric. This server processes ~/<username> requests from a
> mod_rewrite rule from our main non-student accessible server. AFAIK,
Yeah, I kind of mispoke there. I meant to say, I don't allow user cgi,
user server side includes, or user scripting of any sort on the
server ;) In other words, no users have access to put files on the
machine, and no user web pages exist on the server.
> suexec, cgiwrap or sbox that effectively chroots user processes
> protects the server from cgi scripts. However, when php is thrown in
> (that is not protected with suexec/cgi-wrapper) how do you chmod the
> php.ini file so users can not read it using php (which runs as the www
> user)? Isn't that why safe_mode was created?
Like I said, in your situation (user pages on the same server) safe_mode
is a very good thing. I avoid safe mode by not allowing users to any
kind of cgi/ssi/scripting on the machine.
> > While your reason for putting safe_mode on was completely bogus
>
> Am I missing something or did you just have a bad day?
No, your reason was bogus. But doing so was a smart thing, for other
reasons, in your case. I totally think you should be running safe mode,
but not for the reason you stated.
> Caylan
--
Eric Rostetter
The Department of Physics
The University of Texas at Austin
Why get even? Get odd!
More information about the imp
mailing list