On Mon, Sep 16, 2002 at 07:38:16PM -0700, Bob Miller wrote: > Bob Crandell wrote: > > > Larry, I'm crushed. Do I detect a bit of prejudice here? Please > > tell me it isn't so. > > It isn't so. > > Larry isn't prejudiced, he's just accurately describing PHP.
Granted, php will let a person write horrible code. One way to minimize the ugliness is to use php.ini-recommended instead of php.ini-dist as the php.ini. I really think Larry was talking more about postnuke in particular than php in general, tho. I can't tell the difference in execution time between a purely Apache http authentication and a php http authentication, and none of the sites I've built with php look like slashdot. Also, running a chrooted httpd with mod_php is much simpler than with mod_perl or mod_python, as perl and python need to be able to find their modules at will (a modularly built php loads it's modules when httpd is started). One could use 'mount --bind' or mount_null to put the modules into the chroot, but the point of a chroot is to keep as much as possible out of reach. IOW, an attacker could modify 'remounted' perl or python modules that would later get executed outside of the chroot by unsuspecting users, possibly by root. Other options include copying the modules into the chroot or having two separate perl/python installations. Neither of these seem to be very easy to manage. Just my $0.02. -- <[EMAIL PROTECTED]> _______________________________________________ Eug-lug mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
