> What is the point of limiting the script's write access if it can just bypass
> that by making a copy of itself? This merely adds an annoyance step for the
> programmer.
If user joe makes a copy of his script so it now is owned by nobody, it
still doesn't let him read user bob's scripts.
> > That's not really a PHP issue. Many ISP's turn off cgi-bin access so in
> > those cases that won't work.
> >
>
> Cerainly some ISPs do that, but most do offer cgi-bin directories in addition
> to PHP, because many of their customers rely on perl/c etc.. scripts that can
> be run via cgi-bin.
And in that case you can also write cgi-bin programs in PHP then. What's
your point?
> Sure here is just 1 example:
>
> Current directory is "/home/user/dir1/dir2/"
> mkdir("/home/user/dir1/dir2/dir3") fails (Safe Mode Error)
> mkdir("dir3") works fine
>
> This has been replicated with PHP 4.2.0 on 2 servers I've tried this on.
Did you file a bug report? I can't replicate this on my server. Do you
have symlinks, nfs or something else involved?
> There are numerous and untold ways to cause PHP to eat up the cpu or to crash
> the child, more then a few ways were posted on this list. That was just the
> simplest example I could show.
Yes, but safe_mode guards against one user getting at another's user's
data. So again, I fail to see your point here.
> > Because PHP is in many cases the only scripting language an ISP is willing
> > to give people access to on a shared server.
>
> I agree that most common use of PHP is a web scripting language, but IMHO it
> is the job of the webserver/filesystem to limit what user can do, not of the
> scripting or programming language.
Correct, but we have a situation where multiple users all run under the
same UNIX user id. In this case you cannot solve things strictly with
UNIX-level permissions. The real solution is of course to not run
everything as the same user id, but that is not something PHP has any
control over. We simply try to do the best we can with the hand we are
dealt.
> > Correct. That's why we have open_basedir.
>
> Ideally every ISP would use it and each virtual host would have such a
> directory. In reality I've set to see a SINGLE ISP that has used that option.
> In fact I didn't know about it myself until you told me about on IRC.
Well, it is well documented. The ignorance and stupidity of many ISP's is
just a fact of life. I am a firm believer in Darwinism amongst ISP's and
figure the really stupid ones will eventually die off. I am not going to
go out an actively shoot them though, because that might be illegal.
-Rasmus
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
