Hello, I was considering a bug in any of shipped webapps. Even though the server can be safe_mode enabled there is possibility to read information that should remain confidential, like valuable for spammers users list from passwd. I leave other restrictions out deliberately, as ACLs, open_basedir etc. are not part of our default policy.
Currently system-wide package creates bigger threat than any user script, no matter how the environment IS secured (safe_mode, suexec PHP as CGI etc.). Shouldn't we change default root:root owner to some webapps:webapps? -- Tom Pala <[EMAIL PROTECTED]> http://vfmg.sourceforge.net/ http://tccs.sourceforge.net/ _______________________________________________ pld-devel-en mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
