Click to See Complete Forum and Search --> : PHP 6 Safe Mode is OFF
kashi50
Mar 22nd, 2008, 03:56 PM
Hi there, As we know that in PHP 6 Safe Mode is Off, and cant be turn on...it means hacker can upload shell script on server....any idea how to secure it or any alternative solution of Safe Mode to secure share-hosting ...?
visualAd
Mar 22nd, 2008, 04:27 PM
Write secure code. Safe mode was just an excuse not to and lured developers into a false sense of security. That is why it has been removed. open_basedir still exists though.
visualAd
Mar 22nd, 2008, 04:33 PM
And from the shared server point of view which was the original intention of safe mode. PHP should not be used to enforce things like environment variable visibility, execution directories and file open masks.
kashi50
Mar 22nd, 2008, 05:02 PM
So what u people suggest me that if we are using php 6 and running a shared hosting web, then can i use Mod-Php and FastCGI, because i wana use PHP 6 and dont want to allow anyone to upload the shell script like r57 etc. or if u have any other best solution please?
visualAd
Mar 22nd, 2008, 06:55 PM
You need to ensure that the web server is running with the appropriate permissions. My advice to you is that if you are running a shared server, you ensure that all your users who have SSH access are chrooted into their home directory and that you run PHP as a CGI using the suexec helper which is a safe way of executing CGI scripts as a different user.
With regards to uploading shell scripts; you can prevent the execution of files at the kernel level when the file system is mounted. However, if your users and your web applications have non-root access it will be difficult for it do much damage if it were executed.
If you are running a shared server you will never be completely immune to security flaws because your users will be uploading code. For example someone could cause a denial of service on the host by running a script which enters an infinite loop. So in addition you need to ensure your fair use policy (which I am sure you have ;)) is robust enough to be able to deal with the un-secure code yourself with and those who install and run it.
The most damage any process run by a user on a shared host should EVER be able to do is delete all the files in that users document root.
vbforums.com
Copyright Internet.com Inc., All Rights Reserved.