Req #26026 [Com]: Add exec_dir directive (same as safe_mode_exec_dir but without safe-mode)

[valentiny510 at yahoo dot es]

Edit report at https://bugs.php.net/bug.php?id=26026&edit=1

 ID:                 26026
 Comment by:         valentiny510 at yahoo dot es
 Reported by:        roman at compic dot ee
 Summary:            Add exec_dir directive (same as safe_mode_exec_dir
                     but without safe-mode)
 Status:             Open
 Type:               Feature/Change Request
 Package:            Program Execution
 Operating System:   *
 PHP Version:        *
 Block user comment: N
 Private report:     N

 New Comment:

After 10 years, with removed safe_mode, guys please just close many of old 
Bugs/Requests like this or simple add a new status like DEPRECATED.. or change 
something.. 10 Years.. cmon 

- - -

I remember a man who made an appointment with the doctor and 6-7 years after 
his death his widow received a letter saying that they canceled the appointment.


Previous Comments:
------------------------------------------------------------------------
[2012-04-20 12:53:41] php at cabillot dot eu

To the php team : what do you think about this feature ?

Now that safe_mode is disabled, how hosting companies can protect consumers 
from 
themselves ?

------------------------------------------------------------------------
[2005-09-23 13:49:42] derbubi at gmx dot net

A Patch for this problem is available here:
http://kyberdigi.cz/projects/execdir/english.html

This Option would be very nice, even if it decreases performance (if this 
decrease is optional)

------------------------------------------------------------------------
[2003-10-29 05:23:31] roman at compic dot ee

Description:
------------
By bow we have safe_mode_exec_dir
working (and good) for shared hosting, only if SAFE_MODE enabled.

But often, SAFE_MODE need to be turned off. After this
safe_mode_exec_dir is nothing. So we need to disable some funtions 
(system,passthru,...). But it can be done only for _ALL_ hosts. So if one host 
use "system()" in "safe_mode 1" to one or two special programs and happy - i 
can't turn SAFE_MODE 0 for other hosts. It's became realy danger - sometimes 
users have unsecure scripts and by using 'blah.php?f=http://somethere...' 
intruder can get nobody shell. Nobody shell mean - He can read mysql password 
in config.php or settings.php files. He also can install blindshell.

So maybe good to add 'exec_dir' variable for working in 'safe_mode 0' ?


Reproduce code:
---------------
none needed



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=26026&edit=1