features safe-mode.xml

Serdar Soydemir Mon, 10 Dec 2001 10:38:42 -0800

tpug            Mon Dec 10 13:39:22 2001 EDT

  Added files:                 
    /phpdoc/tr/features safe-mode.xml 
  Log:
  added by Alper up-to-date


Index: phpdoc/tr/features/safe-mode.xml
+++ phpdoc/tr/features/safe-mode.xml
<?xml version="1.0" encoding="iso-8859-9"?>
<!-- $Revision: 1.1 $ -->
 <chapter id="features.safe-mode">
  <title>Güvenli Kip</title>

  <para>
   Güvenli kip payla&scedil;&inodot;ml&inodot;-sunucu kavram&inodot;n&inodot;n 
getirdi&gbreve;i güvenlik sorunlar&inodot;n&inodot;
   çözmeye yönelik bir ad&inodot;md&inodot;r. Bu sorunu PHP seviyesinde çözmeye 
çal&inodot;&scedil;mak,
   mimari aç&inodot;dan do&gbreve;ru de&gbreve;ildir, fakat HTTP sunucusu ve 
i&scedil;letim sistemi
   seviyesindeki alternatifler çok gerçekçi olmad&inodot;&gbreve;&inodot;ndan, çok 
say&inodot;da ki&scedil;i,
   özellike ISS'ler, &scedil;imdilik güvenli kipi kullan&inodot;rlar.
  </para>
  <para>
   Güvenli kipi kontrol eden direktifler &scedil;unlard&inodot;r:
   <programlisting role="ini">
<![CDATA[
safe_mode = Off 
open_basedir = 
safe_mode_exec_dir = 
safe_mode_allowed_env_vars = PHP_ 
safe_mode_protected_env_vars = LD_LIBRARY_PATH 
disable_functions = 
]]>
   </programlisting>
  </para>
  <para>
   <link linkend="ini.safe-mode">safe_mode</link>'un aktif oldu&gbreve;u zamanlarda,
   PHP, dosya fonksiyonlar&inodot;yla bir dosya üzerinde i&scedil;lem yapmadan önce o
   dosyayla çal&inodot;&scedil;makta olan beti&gbreve;in sahiplerini 
kar&scedil;&inodot;la&scedil;t&inodot;r&inodot;r. Örne&gbreve;in:
   <programlisting role="ls">
<![CDATA[
-rw-rw-r--    1 rasmus   rasmus       33 Jul  1 19:20 script.php 
-rw-r--r--    1 root     root       1116 May 26 18:01 /etc/passwd 
]]>
   </programlisting>
   Bu beti&gbreve;i çal&inodot;&scedil;t&inodot;rmak:
   <programlisting role="php">
<![CDATA[
<?php
 readfile('/etc/passwd'); 
?>
]]>
   </programlisting>
   Güvenli kipin aç&inodot;k oldu&gbreve;u zamanlarda &scedil;unun gibi bir hata ile 
sonuçlan&inodot;r:
   <screen>
<![CDATA[
Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not 
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2
]]>
   </screen>
  </para>
  <para>
   E&gbreve;er <link linkend="ini.safe-mode">safe_mode</link> yerine, open_basedir
   ile bir dizin belirtirseniz, bütün dosya i&scedil;lemleri belirtilen bu dizin 
alt&inodot;nda
   gerçekle&scedil;ecektir. Örne&gbreve;in (Apache httpd.conf örne&gbreve;i):
   <programlisting role="ini">
<![CDATA[
<Directory /docroot>
  php_admin_value open_basedir /docroot 
</Directory>
]]>
   </programlisting>
   Ayn&inodot; script.php beti&gbreve;ini bu open_basedir ayar&inodot;yla 
çal&inodot;&scedil;t&inodot;r&inodot;rsan&inodot;z
   alaca&gbreve;&inodot;n&inodot;z sonuç:
   <screen>
<![CDATA[
Warning: open_basedir restriction in effect. File is in wrong directory in 
/docroot/script.php on line 2 
]]>
   </screen>
  </para>
  <para>
   Ayr&inodot;ca istedi&gbreve;iniz fonksiyonlar&inodot;n kullan&inodot;mdan 
kald&inodot;rabilirsiniz. Bunu php.ini
   dosyam&inodot;za eklersek:
   <programlisting role="ini">
<![CDATA[
disable_functions readfile,system  
]]>
   </programlisting>
   &Scedil;u ç&inodot;kt&inodot;y&inodot; al&inodot;r&inodot;z:
   <screen>
<![CDATA[
Warning: readfile() has been disabled for security reasons in 
/docroot/script.php on line 2 
]]>
   </screen>
  </para>

  <sect1 id="features.safe-mode.functions">
   <title>Güvenli Kip taraf&inodot;ndan k&inodot;s&inodot;tlanan/iptal edilen 
fonksiyonlar</title>
   <para>
    <link linkend="features.safe-mode">Safe Mode</link> taraf&inodot;ndan 
k&inodot;s&inodot;tlanan
    fonksiyonlar&inodot;n listesi büyük ihtimalle halen tam de&gbreve;il ve 
yanl&inodot;&scedil; olmas&inodot;
    gayet mümkün: 
    <!-- TODO: add &note.sm.*; to the functions mentioned here.
    That entity should link to this section -->
    <table>
     <title>Güvenli Kip taraf&inodot;ndan k&inodot;s&inodot;tlanan fonksiyonlar</title>
     <tgroup cols="2">
      <thead>
       <row>
        <entry>Fonksiyon</entry>
        <entry>K&inodot;s&inodot;tlama</entry>
       </row>
      </thead>
      <tbody>
       <row>
        <entry><function>dbmopen</function></entry>
        <entry>&sm.uidcheck;</entry>
       </row>
       <row>
        <entry><function>dbase_open</function></entry>
        <entry>&sm.uidcheck;</entry>
       </row>
       <row>
        <entry><function>filepro</function></entry>
        <entry>&sm.uidcheck;</entry>
       </row>
       <row>
        <entry><function>filepro_rowcount</function></entry>
        <entry>&sm.uidcheck;</entry>
       </row>
       <row>
        <entry><function>filepro_retrieve</function></entry>
        <entry>&sm.uidcheck;</entry>
       </row>
       <row>
        <entry><function>ifx_*</function></entry>
        <entry>sql_safe_mode k&inodot;s&inodot;tlamalar&inodot;, (!= Güvenli 
Kip)</entry>
        <!-- TODO: more info on sql-safe-mode -->
       </row>
       <row>
        <entry><function>ingres_*</function></entry>
        <entry>sql_safe_mode k&inodot;s&inodot;tlamalar&inodot;, (!= Güvenli 
Kip)</entry>
        <!-- TODO: more info on sql-safe-mode -->
       </row>
       <row>
        <entry><function>mysql_*</function></entry>
        <entry>sql_safe_mode k&inodot;s&inodot;tlamalar&inodot;, (!= Güvenli 
Kip)</entry>
        <!-- TODO: more info on sql-safe-mode -->
       </row>
       <row>
        <entry><function>pg_loimport</function></entry>
        <entry>&sm.uidcheck;</entry>
        <!-- source TODO: there is no PHP-warning for that safe-mode-restriction -->
       </row>
       <row>
        <entry><function>posix_mkfifo</function></entry>
        <entry>&sm.uidcheck.dir;</entry>
       </row>
       <row>
        <entry><function>putenv</function></entry>
        <entry>safe_mode_protected_env_vars ve safe_mode_allowed_env_vars
         ini-direktiflerine uyar. Ayr&inodot;ca <function>putenv</function>
         hakk&inodot;ndaki dökümanlara bak&inodot;n&inodot;z.</entry>
        <!-- TODO: document those directives in chapters/config.xml -->
       </row>
       <row>
        <entry><function>move_uploaded_file</function></entry>
        <entry>&sm.uidcheck; <!-- TODO: check this --></entry>
       </row>

       <!-- TODO: from here on, add warning to the function itself -->

       <row>
        <entry><function>chdir</function></entry>
        <entry>&sm.uidcheck.dir;</entry>
       </row>
       <row>
        <entry><function>dl</function></entry>
        <entry>&sm.disabled;</entry>
       </row>
       <row>
        <entry><link linkend="language.operators.execution">ters t&inodot;rnak 
i&scedil;lemi</link></entry>
        <entry>&sm.disabled;</entry>
       </row>
       <row>
        <entry><function>shell_exec</function> (ters t&inodot;rnaklar&inodot;n 
fonksiyonal
         e&scedil;i)</entry>
        <entry>&sm.disabled;</entry>
       </row>
       <row>
        <entry><function>exec</function></entry>
        <!-- dirge: practical reasons => pratiksel neden -->
        <entry>Sadece <link
          linkend="ini.safe-mode-exec-dir">safe_mode_exec_dir</link> ile
         belirtilen dizindeki programlar&inodot; 
çal&inodot;&scedil;t&inodot;rabilirsiniz.
         Pratiksel nedenlerden ötürü &scedil;u an için programa giden yolda
         <literal>..</literal> olmas&inodot;na izin verilmiyor.</entry>
       </row>
       <row>
        <entry><function>system</function></entry>
        <entry>Sadece <link
          linkend="ini.safe-mode-exec-dir">safe_mode_exec_dir</link> ile
         belirtilen dizindeki programlar&inodot; 
çal&inodot;&scedil;t&inodot;rabilirsiniz.
         Pratiksel nedenlerden ötürü &scedil;u an için programa giden yolda
         <literal>..</literal> olmas&inodot;na izin verilmiyor.</entry>
       </row>
       <row>
        <entry><function>passthru</function></entry>
        <entry>Sadece <link
          linkend="ini.safe-mode-exec-dir">safe_mode_exec_dir</link> ile
         belirtilen dizindeki programlar&inodot; 
çal&inodot;&scedil;t&inodot;rabilirsiniz.
         Pratiksel nedenlerden ötürü &scedil;u an için programa giden yolda
         <literal>..</literal> olmas&inodot;na izin verilmiyor.</entry>
       </row>
       <row>
        <entry><function>popen</function></entry>
        <entry>Sadece <link
          linkend="ini.safe-mode-exec-dir">safe_mode_exec_dir</link> ile
         belirtilen dizindeki programlar&inodot; 
çal&inodot;&scedil;t&inodot;rabilirsiniz.
         Pratiksel nedenlerden ötürü &scedil;u an için programa giden yolda
         <literal>..</literal> olmas&inodot;na izin verilmiyor.</entry>
        <!-- TODO: not sure. popen uses a completely different implementation
        Don't know why, don't know whether it's behaving the same -->
       </row>
       <row>
        <entry><function>mkdir</function></entry>
        <entry>&sm.uidcheck.dir;</entry>
       </row>
       <row>
        <entry><function>rmdir</function></entry>
        <entry>&sm.uidcheck;</entry>
       </row>
       <row>
        <entry><function>rename</function></entry>
        <entry>&sm.uidcheck; &sm.uidcheck.dir;<!-- on the old name only, it seems. Is 
rename preventing moving files? --></entry>
       </row>
       <row>
        <entry><function>unlink</function></entry>
        <entry>&sm.uidcheck; &sm.uidcheck.dir;</entry>
       </row>
       <row>
        <entry><function>copy</function></entry>
        <entry>&sm.uidcheck; &sm.uidcheck.dir; (<parameter>kaynak</parameter>
         ve <parameter>hedef</parameter> için) </entry>
       </row>
       <row>
        <entry><function>chgrp</function></entry>
        <entry>&sm.uidcheck;</entry>
       </row>
       <row>
        <entry><function>chown</function></entry>
        <entry>&sm.uidcheck;</entry>
       </row>
       <row>
        <entry><function>chmod</function></entry>
        <entry>&sm.uidcheck; Ek olarak SUID, SGID ve sticky bitlerini
         açamazs&inodot;n&inodot;z.</entry>
       </row>
       <row>
        <entry><function>touch</function></entry>
        <entry>&sm.uidcheck; &sm.uidcheck.dir;</entry>
       </row>
       <row>
        <entry><function>symlink</function></entry>
        <entry>&sm.uidcheck; &sm.uidcheck.dir; (not: sadece hedef kontrol
         ediliyor)</entry>
       </row>
       <row>
        <entry><function>link</function></entry>
        <entry>&sm.uidcheck; &sm.uidcheck.dir; (not: sadece hedef kontrol
         ediliyor)</entry>
       </row>
       <row>
        <entry><function>getallheaders</function></entry>
        <entry>Güvenli Kipte, 'authorization' ile ba&scedil;layan 
ba&scedil;l&inodot;klar
         (büyük/küçük harf ayr&inodot;m&inodot; yok)
         döndürülmez. Uyar&inodot;: Bu <function>getallheader</function>
         fonksiyonunun aol-server uyarlamas&inodot;nda bozuk!</entry> 
       </row>
       <row>
        <entry><filename>php4/main/fopen_wrappers.c</filename> dosyas&inodot;n&inodot;
         kullanan tüm fonksiyonlar
        </entry>
        <entry>??</entry>
       </row>
      </tbody>
     </tgroup>
    </table>
   </para>
  </sect1>

 </chapter>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:"../../manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->

[PHP-DOC] cvs: phpdoc /tr/features safe-mode.xml

Reply via email to