> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Stephanie Sullivan > Sent: Wednesday, December 16, 2009 10:13 AM > To: 'BlueOnyx General Mailing List' > Subject: [BlueOnyx:03117] Re: php error > > There are two things to consider: > 1) in php.ini - is safe mode on? I go with yes. > 2) in php.ini - is safe mode gid on? I'd bet no and suggest turning > it on. > > With php includes in safe_mode the owner of the including script must be > the same as the script being included. If not, no joy. > > Safe mode gid tells php to use the group rather than the owner as the > basis. So, files of different owners than the calling php file can load those > files with an include. > > Here are some safe mode controls from my php.ini > > safe_mode = On > safe_mode_gid = On
There is some confusion about this to me and probably others. According to this webpage, http://aymanh.com/checklist-for-securing-php-configuration, safe_mode and safe_mode_gid are not supposed to be enabled together, rather individually: "In its default state, PHP's safe mode is too restrictive for any advanced development to be possible. However, there are several settings to relax it. The biggest problem with safe mode is that only files owned by Apache are accessible to PHP scripts. This is often impractical when many developers are working on the same project, or when you want PHP to read a file without changing its ownership. Another affected situation is when you want PHP to read files generated by other programs. To work around this, there is a setting that checks for file group instead of owner: safe_mode = Off safe_mode_gid = On With safe_mode_gid enabled instead of safe_mode, PHP will be able to open files that belong to Apache's group regardless of the owner. So if there are several developers working on the same server, add them to Apache's group, make it their default group, and everything should be set." Also, I was the one asking about exec the other day, and using safe_mode_gid together with an exec include directory, I should be able to run binaries such as ImageMagick. The question I have is, as the page listed above states, I could create a directory and put symbolic links to binaries in it for the web sites who wanted to use ImageMagick. This would allow me to isolate only binaries that are safe for websites to execute. Therefore, the question is, what binaries other than the ImageMagick ones, are usable by a web site? _______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
