Re: Secure shared web hosting using MAC Framework
--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2007.02.21 22:18:15 +0100, Momchil Ivanov wrote:
> > But is there any way to disbale related php functions? is there any well
> > defined configuration examples for mod_php?
>=20
> Is this what you are looking for:=20
> http://www.php.net/manual/en/features.safe-mode.php
You should not rely on PHP safe mode and related features working
since it's broken by design. There is a reason this was added to the
default php.ini on FreeBSD:
SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
the PHP Safe Mode feature not be relied upon for security, since the
issues Safe Mode tries to handle cannot properly be handled in PHP
(primarily due to PHP's use of external libraries). While many bugs
in Safe Mode has been fixed it's very likely that more issues exist
which allows a user to bypass Safe Mode restrictions.
For increased security we always recommend to install the Suhosin
extension.
Running untrusted code in PHP just as unsafe as any other untrusted
program on your system.
It can be OK to use safe mode related features as an extra layer of
trouble an attacker has to get through, but you should still treat the
setup as though the safe mode stuff isn't there and assume people can
break it.
See also http://www.vuxml.org/freebsd/pkg-php5.html for more
information on why safe mode shouldn't be trusted.
--=20
Simon L. Nielsen
FreeBSD Security Team
--9amGYk9869ThD9tj
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQFF4XAzBJx0gP90kKsRAjMZAKCBTOMuL7CQFjJcWp78XU+T9lB+iQCeJZx5
k7+L5JTZDfTqdNUk5lq0TiM=
=T/lw
-----END PGP SIGNATURE-----
--9amGYk9869ThD9tj--
討論串 (同標題文章)
完整討論串 (本文為第 7 之 7 篇):