On May 11, 2002 11:35 am, you wrote:
> > There are numerous ways to bypass it, rely on file system utils if they
> > are in the path,
>
> Won't work.
>
> > make the script copy itself and then write stuff as webserver,
>
> You always write stuff as web server
What is the point of limiting the script's write access if it can just bypass
that by making a copy of itself? This merely adds an annoyance step for the
programmer.
>
> > install a small script into cgi-bin directory that will do the same thing
>
> That's not really a PHP issue. Many ISP's turn off cgi-bin access so in
> those cases that won't work.
>
Cerainly some ISPs do that, but most do offer cgi-bin directories in addition
to PHP, because many of their customers rely on perl/c etc.. scripts that can
be run via cgi-bin.
> > The number of ways to bypass this feature are too numerous to list here.
>
> Let's have some real specifics please.
>
Sure here is just 1 example:
Current directory is "/home/user/dir1/dir2/"
mkdir("/home/user/dir1/dir2/dir3") fails (Safe Mode Error)
mkdir("dir3") works fine
This has been replicated with PHP 4.2.0 on 2 servers I've tried this on.
> > It is my belief that safe_mode gives people who use false sense of
> > security by "supposedly" securing their webserver from their own users,
> > which is pointless since a "dedicated user" can cause plenty of damage by
> > using while(1) include $PHP_SELF; etc...
>
> The process limits should take care of that.
There are numerous and untold ways to cause PHP to eat up the cpu or to crash
the child, more then a few ways were posted on this list. That was just the
simplest example I could show.
>
> > In addition safe_mode makes the developer life extremely difficult since
> > it blocks the most common operations that ARE ALLOWED by the webserver's
> > file permissions, why does PHP take on the role that is not done in any
> > other programming language?
>
> Because PHP is in many cases the only scripting language an ISP is willing
> to give people access to on a shared server.
I agree that most common use of PHP is a web scripting language, but IMHO it
is the job of the webserver/filesystem to limit what user can do, not of the
scripting or programming language.
> > For example, if a user uploads test.php with their FTP and test.php
> > creates a file, it will no longer be able to read that file under
> > safe_mode since the uid of the script and the file it created differ.
>
> Correct. That's why we have open_basedir.
Ideally every ISP would use it and each virtual host would have such a
directory. In reality I've set to see a SINGLE ISP that has used that option.
In fact I didn't know about it myself until you told me about on IRC.
Ilia
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
