> I did read it. Very carefully and not only once. Did you read MY > reponse carefully? > > What you are saying now is exactly what I'm trying to say (and I think > I actually did. The thing about modularity). All this should > *NOT* be handled by PHP but it still _IS_ and you (not specificly you, > rasmus, but some of the developers) recommend using mod_php for > virtual hosting. The only thing I'm talking about is: > > mod_php (+ safe_mode) != virtual hosting > > it should be > > php cgi (+ safe_mode) == virtual hosting > > and > > mod_php == own, private box. performance boost.
But what I am saying is that mod_php + multiple apache instances == real virtual hosting The performance penalty and other restrictions of PHP-cgi invalidates that approach as far as I am concerned. > I'm not saying it's not possible, but this is not a *CLEAN* solution. > What you are suggesting me is a workaround, nothing more. There is > nothing on php.net about your solution, so you must admit it's not a > standard solution. Sure it is. And there is stuff on it at php.net. Plenty of it under conf.php.net. But no, it isn't in the PHP manual because that manual is not supposed to teach ISPs how to do their jobs. > > No it doesn't. safe_mode doesn't check +r, it looks at the user and group > > ids that own the directory. +r is irrelevant. > > PHP cannot circumvent the unix file permissions. If our apache > (www-data) is able to LIST /tmp/ then every user is able to do the > same thing within a PHP script - logically. This has nothing to do > with safe_mode. You don't really understand safe-mode then. Correct, if the apache user has no perms to read something, then regardless of the same-mode setting, a php script cannot read it. But the converse is not true. If the Apache user id has unix-level perms to read something, then safe-mode very much affects whether the file can actually be read and this has everything to do with safe-mode. That's what safe-mode is for. It checks the owner of the file and compares it to the owner of the current script. If the two don't match you get a safe-mode error and you can't read the file. > /etc/ also belongs to root, but I'm still able to look into it, > because there is a o+rx on that directory. Or did we configure > something wrong? We are using debian and apache is www-data. If /etc/* is owned by root and your php script is not owned by root, then unless you configured something terribly wrong, your script should not be able to read a root-owned file. -Rasmus -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
