At 04:38 PM 5/13/2002, Jason T. Greene wrote:
> > I do, for two simple reasons: > > - Misperception about what it's supposed to do - it does NOT secure your > > environment, people expect it to. That's a 'marketing' issue, but we > > should realize that these kinds of issues are at least as important as the > > technical ones. > > >I get the feeling that you are mainly arguing the marketing perspective. > >: ) Yep - safe mode is misperceived by a large number of people. I, for one, can't define exactly what it does, and I'm fairly familiar with its spec. I guess the closest I can get is by saying it makes tampering with other users' files more difficult, without being able to actually quantify it. I believe that at large, it's perceived as some sort of a jail mechanism that allows you to let users on your shared hosting environment safely, which is absolutely not true. However, if many people perceive it that way, then the problem is ours, not theirs. >I completely agree that safe mode is badly named. However, I still find >uid checking, and restricting process spawning very useful The only problem I have with it is that by definition, it will always be possible to relatively easily circumvent these protections. If it's not done in the OS level, then sooner or later, we would screw up and leave a hole. And it only takes one hole - the thousand other holes which are plugged are meaningless. Safe mode is something that virtually any buffer overflow exploit could work around, and my guess is that there are *MANY*. We've had a big public one recently, because it was remotely exploitable - but I'm pretty sure that there are plenty more lurking in the code, that are only locally exploitable. And that's assuming we manage to plug all of the 'high level' holes to begin with... My point is simple - safe mode does uid checking and restricts process spawning - but it does so in a way which is inherently unreliable. It's not impossible to make it reliable, but I believe it's not humanely possible either... In a perfect world, ISPs would have used chroot'd environments always, running either CGI's or dedicated Apache's. But then, we're on Earth... Zeev -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
