Well, I'm sorry to wait so long to repond back to this. I picked the
wrong week/month to start this discussion as I didn't have the time to
follow up on it. Now I kinda do.
A lot of good and bad (IMHO) points were raised about PHP security in
this thread. I am concerned about any one of
2007/11/5, Mark Krenz [EMAIL PROTECTED]:
Unless there is some other way in PHP of restricting where you can run
programs from (can't find any),
Why PHP needs to do that ? isnt that part of OS level security ?
this is going to become a major problem.
This is going to **solve** a major
On 11/5/07, Mark Krenz [EMAIL PROTECTED] wrote:
Some people say to run Apache in a chroot jail, but I think that's
unreasonable and a lot of people aren't going to do that or know how to
do that properly. Besides, am I really going to run 200+ instances of
Apache? That seems unreasonable.
On Mon, Nov 05, 2007 at 05:28:07PM GMT, Cristian Rodriguez [EMAIL PROTECTED]
said the following:
safe_mode does not really resist any analysis, whoever convinced you
that it is a good thing does not have a clue.
I've done the analysis, so you're saying that I don't have a clue. I
don't
Much easier and better to just throw every user their own virtual
machine. They can go wild and you don't have to worry. Makes it easy to
control how much CPU, RAM, and hdd the user is using too.
--
Michael McGlothlin
Southwest Plumbing Supply
--
PHP Internals - PHP Runtime Development
On Mon, Nov 05, 2007 at 06:35:50PM GMT, Alexey Zakhlestin [EMAIL PROTECTED]
said the following:
That's how textdrive/joyent do this and they are more than happy with
this approach.
Oh really? Read the section on Joyent/Textdrive here:
That's obvious and I do offer that. But what about users in a shared
environment? There has to be a way to have cheaper accounts for people
and the way to do that is to put a couple hundred of them on a machine.
On Mon, Nov 05, 2007 at 06:42:35PM GMT, Michael McGlothlin [EMAIL PROTECTED]
That's obvious and I do offer that. But what about users in a shared
environment? There has to be a way to have cheaper accounts for people
and the way to do that is to put a couple hundred of them on a machine.
It'd be pretty easy to run a copy of Apache for each user on their own
port
Did you just ignore the part about fastcgi?
On 11/5/07, Mark Krenz [EMAIL PROTECTED] wrote:
On Mon, Nov 05, 2007 at 06:35:50PM GMT, Alexey Zakhlestin [EMAIL PROTECTED]
said the following:
That's how textdrive/joyent do this and they are more than happy with
this approach.
Oh really?
On Mon, Nov 05, 2007 at 07:02:05PM GMT, Alexey Zakhlestin [EMAIL PROTECTED]
said the following:
Did you just ignore the part about fastcgi?
No I didn't, I just feel that fastcgi/suexec/mod_suphp doesn't handle
all of the ready to run programs out there completely. Besides that, the
whole
Unless there is some other way in PHP of restricting where you can run
programs from (can't find any),
Why PHP needs to do that ? isnt that part of OS level security ?
There are those of us in shared environments where scripts can't be
run as a single user because the content is owned by
Yes, this is what I'm talking about. Now is the time to do this
before some distribution of Linux or whatnot includes a version of PHP 6
that would not have this feature.
I'm sorry I can't code very well in C. But I'd be willing to write
documentation or a migration guide or something.
On Sun, 26 Aug 2007 22:59:16 -0700, in php.internals
[EMAIL PROTECTED] (Rasmus Lerdorf) wrote:
As PHP grew
and became more complex and linked in more complex libraries, it became
completely impossible to even begin to pretend that safemode was still
effective.
1½ year ago we talked about
Mark Krenz wrote:
??? What do you mean? I talked with Ryan Bloom about this at Apache
Con 2000 and he said that with Apache 2.0, modules would be able to run
code with the permissions of the user assigned to each vhost. I asked
about the prospect of PHP being able to utilize this and he
On 8/26/07, Mark Krenz [EMAIL PROTECTED] wrote:
No, this is the wrong way to approach the problem.
No, this is the right way, language level security does not replace OS
level security.
I'm bringing it up because its something that
needs to be fixed in PHP.
No, fixing this issue in PHP
and read the notes on safe_mode and open_basedir. PHP as is, is a real
pain in the ass to lock down completely and it always has been. In fact,
I'd venture to say that its impossible. And believe me when I say that
No more and no less than any other scripting language, I'd say. And the
On Sun, August 26, 2007 2:31 pm, Mark Krenz wrote:
First of all I don't want this to sound like a personal attack, its
professional. I just encountered something that really aggrevates me
about the state of PHP and I want to be heard by the developers.
First make sure you understand what
On 8/26/07, Richard Lynch [EMAIL PROTECTED] wrote:
First make sure you understand what safe_mode does, and doesn't do,
and just how lame it is at what it tried to do, and fails to do, and
simply cannot do.
I am all for the removal of safe mode in php. I use safe_mode now,
but I patch it to
On 8/26/07, Mark Krenz [EMAIL PROTECTED] wrote:
So what is the plan for increasing the security of PHP rather than
decreasing it?
The plan is probably increasing the security of PHP, and removing
safe_mode is an step to do that, false sense of security is worst than
no security at all,
On Sun, Aug 26, 2007 at 09:15:54PM GMT, Stanislav Malyshev [EMAIL PROTECTED]
said the following:
No more and no less than any other scripting language, I'd say. And the
reason for that - it should be done on the OS level, not on the language
level. OS possesses the capability and created
Really? Take anything that runs through CGI. I can turn on suexec
for it and it will function the same plus it will run as the user and
that gives me more benefits. But the architecture of how it runs is
100% secure, putting aside any vulnerabilities in the code that come up.
It's what I
21 matches
Mail list logo
