The one main problem with safe_mode in general is that the idea is 
problematic by definition.  Security outside the OS level is prone to 
errors, and a false sense of security is much worse than knowing you're 

In my opinion, safe mode should only feature features which can have an 
infrastructure-level solution, and are not prone to errors.  There aren't 
too many of these.  The current safe mode implementation is extremely prone 
to errors because it tries to protect opened files, and the way its built, 
it's bound to be missing checks in many places...


At 22:53 1/2/2001, Jason Greene wrote:
>Is anyone up for a discussion on the redesign of safe_mode? I would like 
>to start working on this sometime soon, and I have a lot of
>ideas, but I know this is going to be something of a large debate.
>Some of the  new features I think would benefit php include:
>* safe_mode_hide_env_vars - will allow extra protection on removing 
>environmental vars from hosted users ( I actually have a patch
>for this but  I have been waiting on it to discuss the redesign)
>* User configurable policy - safe_mode could have configuration directives 
>to specify exactly what checks are desired
>* Virtual Chroot - the ability to perform a chroot to a virtual host 
>directory structure, so that a hosted user can not access
>anything outside of their directory structure.
>* Shared Directories - The ability to specify a list of paths that are 
>shared amongst all hosted users. This would allow certain
>extensions (gd, oracle, etc) the ability to access the needed datafiles 
>without failing a safe_mode check.
>Any comments, suggestions, other ideas?

Zeev Suraski <[EMAIL PROTECTED]>
CTO &  co-founder, Zend Technologies Ltd. http://www.zend.com/

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to