Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:22586 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 53215 invoked by uid 1010); 26 Mar 2006 17:43:02 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 53200 invoked from network); 26 Mar 2006 17:43:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Mar 2006 17:43:02 -0000 X-Host-Fingerprint: 70.85.46.36 unknown Received: from ([70.85.46.36:59203] helo=prohost.org) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id 6B/A0-37235-5A2D6244 for ; Sun, 26 Mar 2006 12:43:01 -0500 Received: (qmail 23170 invoked from network); 26 Mar 2006 17:42:58 -0000 Received: from prohost.org (HELO ?127.0.0.1?) (70.85.46.36) by prohost.org with SMTP; 26 Mar 2006 17:42:58 -0000 Message-ID: <4426D2A1.7030109@prohost.org> Date: Sun, 26 Mar 2006 12:42:57 -0500 User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Peter Brodersen CC: internals@lists.php.net References: <000a01c64fbc$cef29c50$88051fac@OHRLVN4523SG> <44257520.6070304@prohost.org> <4425761D.4020300@lerdorf.com> <44257764.4060406@prohost.org> <442577EF.2000908@lerdorf.com> <44257A8C.8020408@prohost.org> <7qjd221uk4tcgqlmfb9vmopmnmc3cfn3p8@4ax.com> In-Reply-To: <7qjd221uk4tcgqlmfb9vmopmnmc3cfn3p8@4ax.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] open_basedir_for_include From: ilia@prohost.org (Ilia Alshanetsky) If you don't trust your users to execute external commands, which is perfectly valid concern, PHP provides you with a way (disable_functions) INI setting to restrict the functionality. Ilia Peter Brodersen wrote: > On Sat, 25 Mar 2006 12:14:52 -0500, in php.internals ilia@prohost.org > (Ilia Alshanetsky) wrote: > >> Plus is you leave the file writable, what's to say you couldn't do: >> shell_exec("cp foo /lib/file/inc.php") ? > > The possible exec restriction salvaged from safe_mode mentioned in > <43874C56.8050007@lerdorf.com> ? > > This thread is mainly about a safety net for one's own code. But > regarding restricting users, open_basedir is IMO useless if not backed > up by some other methods (like restricting exec functions).