Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33034
Return-Path: <nlgordon@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15148 invoked by uid 1010); 5 Nov 2007 19:42:42 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 15132 invoked from network); 5 Nov 2007 19:42:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Nov 2007 19:42:42 -0000
Authentication-Results: pb1.pair.com header.from=nlgordon@gmail.com; sender-id=pass; domainkeys=bad
Authentication-Results: pb1.pair.com smtp.mail=nlgordon@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.162.229 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: nlgordon@gmail.com
X-Host-Fingerprint: 64.233.162.229 nz-out-0506.google.com  
Received: from [64.233.162.229] ([64.233.162.229:21231] helo=nz-out-0506.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F4/32-03007-1327F274 for <internals@lists.php.net>; Mon, 05 Nov 2007 14:42:42 -0500
Received: by nz-out-0506.google.com with SMTP id x7so1164235nzc
        for <internals@lists.php.net>; Mon, 05 Nov 2007 11:42:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=beta;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        bh=QLTlG2q01BTtOd+YecpHALie2ER50k+mNSGmguhfuA8=;
        b=XfBxEmeI1Bu9Fp3Y0QqcYJKq90Jh/8SxclTMNjvTx6IugM/GLA+QaP+te4lmTlXyR9SapUrfYKzcTWfkO8U9x/mS8MADsNgInDvtGZPu0hFrWh1+itgkhQ+rWDwxRQI1uLtKotXg0WXGzLQ4gf2uxOgXjQOyKeV53sORcDA3Vgk=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=puyCE3GlDWWBxaEGJLI7EImFjH6CcPa7lovTxzs81hEBGFPq8EtypQXXJH0L+iTik/ea04s8m4RvH7kTFtFpMg5u2c7UvCHKMbGTQ7BLNvU9u9I38h3fOgqOPueLhgEPY8Vy5CiKqbRb11AKpZUfO/JtJMkPtqV4cQjQjUC4DCo=
Received: by 10.142.128.6 with SMTP id a6mr1224162wfd.1194291758321;
        Mon, 05 Nov 2007 11:42:38 -0800 (PST)
Received: by 10.143.43.14 with HTTP; Mon, 5 Nov 2007 11:42:38 -0800 (PST)
Message-ID: <ffa0ace80711051142j34e8b670je1a219af5905c76@mail.gmail.com>
Date: Mon, 5 Nov 2007 14:42:38 -0500
To: internals@lists.php.net
In-Reply-To: <7d5a202f0711050928y368b1f88i41ee82f4ed3f565a@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20070826193146.GQ16782@arvo.suso.org> <46D1ED8A.2060302@zend.com>
	 <20070827024804.GS16782@arvo.suso.org> <46D26834.9040001@lerdorf.com>
	 <20071105171202.GA12944@arvo.suso.org>
	 <7d5a202f0711050928y368b1f88i41ee82f4ed3f565a@mail.gmail.com>
Subject: Re: [PHP-DEV] Safe mode being removed in PHP6?
From: nlgordon@gmail.com ("Nate Gordon")

>
> >   Unless there is some other way in PHP of restricting where you can run
> > programs from (can't find any),
>
> Why PHP needs to do that ? isnt that part of OS level security ?

There are those of us in shared environments where scripts can't be
run as a single user because the content is owned by a group of users
and thus a group is the limiting factor.  Since PHP is what is
allowing me to run scripts/progs through a php function I don't see
how it would be that difficult to lock that down to a specific
directory on a per vhost basis.

>
> >this is going to become a major problem.
>
> This is going to **solve** a major problem, this change will eliminate
> the false sense of security that safe_mode provides and will tell
> people to start securing their stuff better.
>
> safe_mode does not really resist any analysis, whoever convinced you
> that it is a good thing does not have a clue.

I will be the first to acknowledge that the basic premise of safe_mode
is broken (the part about uids/gids matching), but the extra feature I
used was a per vhost disabling of executing anything that wasn't php.

This is the real feature I want, simple per vhost disable functions.
I realize that suhosin provides a per vhost disable functions feature,
but why is it up to an extension to provide that?  The next thing I
would want is a per vhost exec dir limit.

People are too quick to throw out the baby with the bath water on
safe_mode.  It isn't completely useless to everyone.


-- 
-Nathan Gordon

If the database server goes down and there is no code to hear it, does
it really go down?
<esc>:wq<CR>