Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:31923
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender)
Message-ID: <46D23FDC.3050407@zend.com>
Date: Sun, 26 Aug 2007 20:07:08 -0700
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Mark Krenz <mark@suso.org>
CC:  internals@lists.php.net
References: <20070826193146.GQ16782@arvo.suso.org> <46D1ED8A.2060302@zend.com> <20070827024804.GS16782@arvo.suso.org>
In-Reply-To: <20070827024804.GS16782@arvo.suso.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Safe mode being removed in PHP6?
From: stas@zend.com (Stanislav Malyshev)

>   Really?  Take anything that runs through CGI.  I can turn on suexec
> for it and it will function the same plus it will run as the user and
> that gives me more benefits.  But the architecture of how it runs is
> 100% secure, putting aside any vulnerabilities in the code that come up.

It's what I call OS approach, since it bases itself on user ID for 
security, and on OS to check user ID. So, what prevents you from running 
PHP as CGI/suexec without safe mode?

>   No, this is the wrong way to approach the problem.  With hundreds of
> users, all doing different things, there is a strong possibility that
> I'll have to maintain such SELinux or apparmor rules for each user's
> website.  That's rediculous.  A secure server should be something that

Sorry if there's no adequate solution for your particular case on the 
market. But that doesn't mean PHP should try to become AppArmor or SELinux.

>   No more high-level than Perl.  What's the difference?  The real

The difference is, last that I heard Perl has no safe mode. perl has 
taint mode which is very different and maybe - if somebody succeeds in 
doing that - can be done in PHP too.

> writing this a user wrote me about their wordpress site being hacked.
> Now that may have been a Wordpress known vulnerability, but it doesn't
> matter, without safe_mode on, it could have been worse.

Since safe mode never really provided secure environment, I don't see 
how it would be worse.

>   ???  What do you mean?  I talked with Ryan Bloom about this at Apache
> Con 2000 and he said that with Apache 2.0, modules would be able to run

There's a difference between "would be able to" and "works". For now, 
Apache docs say:
http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user
The User directive sets the user ID as which the server will answer requests
/.../
Special note: Use of this directive in <VirtualHost> is no longer 
supported. To configure your server for suexec use SuexecUserGroup.

perchild MPM in 2.0 docs says:

This module is not functional. Development of this module is not 
complete and is not currently active. Do not use perchild unless you are 
a programmer willing to help fix it.

> code with the permissions of the user assigned to each vhost.  I asked
> about the prospect of PHP being able to utilize this and he said its
> possible, but I got the impression that the PHP devs where not
> interested.

We would be very interested to see Apache implementing this capability, 
but as I understand it never worked stable in 2.0 and was removed in 2.2.
-- 
Stanislav Malyshev, Zend Software Architect
stas@zend.com   http://www.zend.com/
(408)253-8829   MSN: stas@zend.com