Date: Sun, 25 Feb 2007 12:17:08 +0100 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Momchil Ivanov <idiotbg@gmail.com> Cc: Stanislav Sedov <stas@freebsd.org>, Alexis Susset <admin@munai.com>, freebsd-security@freebsd.org Subject: Re: Secure shared web hosting using MAC Framework Message-ID: <20070225111708.GA978@zaphod.nitro.dk> In-Reply-To: <200702212218.19806.idiotbg@gmail.com> References: <E6A3BDDE-909D-4217-A773-9C8106358CD2@munai.com> <20070221131421.1709206a.stas@FreeBSD.org> <20070221183154.GA14590@zone3000.net> <200702212218.19806.idiotbg@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2007.02.21 22:18:15 +0100, Momchil Ivanov wrote: > > But is there any way to disbale related php functions? is there any well > > defined configuration examples for mod_php? >=20 > Is this what you are looking for:=20 > http://www.php.net/manual/en/features.safe-mode.php You should not rely on PHP safe mode and related features working since it's broken by design. There is a reason this was added to the default php.ini on FreeBSD: SECURITY NOTE: The FreeBSD Security Officer strongly recommend that the PHP Safe Mode feature not be relied upon for security, since the issues Safe Mode tries to handle cannot properly be handled in PHP (primarily due to PHP's use of external libraries). While many bugs in Safe Mode has been fixed it's very likely that more issues exist which allows a user to bypass Safe Mode restrictions. For increased security we always recommend to install the Suhosin extension. Running untrusted code in PHP just as unsafe as any other untrusted program on your system. It can be OK to use safe mode related features as an extra layer of trouble an attacker has to get through, but you should still treat the setup as though the safe mode stuff isn't there and assume people can break it. See also http://www.vuxml.org/freebsd/pkg-php5.html for more information on why safe mode shouldn't be trusted. --=20 Simon L. Nielsen FreeBSD Security Team --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF4XAzBJx0gP90kKsRAjMZAKCBTOMuL7CQFjJcWp78XU+T9lB+iQCeJZx5 k7+L5JTZDfTqdNUk5lq0TiM= =T/lw -----END PGP SIGNATURE----- --9amGYk9869ThD9tj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070225111708.GA978>