> disable_functions = sleep Ah but you forgot usleep, and flock() and socket_set_limit etc... Soon enough you'll disable every function.
And when you do, I'll still be able to deadlock a PHP process by making it excute a query on a locked SQL table, thus end up waiting forever for the lock to be released. So, you'll need to disable all database functions from your PHP. > > > > > > The argument you make to remove safe mode because it is not perfect > > > > > is unfounded. By the same argument you could say we shouldn't use > > > > > locks on our doors, because hey "they can be picked". > > > > > > > > Safe mode is not only imperfect it does not even work properly. In > > > > the last day and a half I've showed 5 bugs that allow it be bypassed, > > > > simply take a look at the latest safe_mode bugs. > > > > > > Five, I only saw one. Regardless they can and should be fixed. > > > > Check again: > > > > Bug report #17168-69 > > Bug report #17155-57 > > All of those regarding safe mode are fixed now. Really, you don't say... bug reports #17168-69 are still open at the time of this message being written. And when they are closed, don't worry I'll have a few more posted tommorow for your enjoyment... > It depends on why the lock is broken, you have been suggesting this > whole time that safe mode is a DESIGN flaw. However, your reasoning is > only BUILD flaws. I have yet to hear a single reason as to why the > concept of extra uid, checks of files is a bad thing. It is not PHPs job as a scripting/programming language to do security. security should/must be done at the OS and web server level. Checking uid is STUPID, the simplest example, is that if you upload a php script and it creates a file you can no longer read or write to that file even though you have file permissions to do so. File system permissions exist for a reason, use them. If you have sensetive data, like credit card information and you are not using a dedicated server to store that data then do be surprised to find your data in someone elses hands. In a shared enviroment especially where programming/scripting languages are avaliable it is merely a matter of time before someone takes advantage of some security hole/oversight and grabs the hold of your data. > There are problems here and you can be a bit more constructive, and send > patches, offer new security techniques, report bugs. Exaggerating and > cursing safe mode does nothing but waste time. I am clearly demonstrating the problem and if you actually payed attention instead of trying to pretend this problem did not exist, reporting bugs about it. I'd gladly offer a patch that will get rid off safe_mode for the core php tree if developers are willing to add it to the CVS :) Safe mode wasteful and pointless this is no exageratio,n it makes development in the "safe" enviroment pointlessly difficult and offers no real safety. Ilia -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
