Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:54645
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10523 invoked from network); 17 Aug 2011 12:26:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Aug 2011 12:26:03 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com  
Received: from [209.85.213.42] ([209.85.213.42:52026] helo=mail-yw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8F/E0-03278-053BB4E4 for <internals@lists.php.net>; Wed, 17 Aug 2011 08:25:57 -0400
Received: by ywb3 with SMTP id 3so772718ywb.29
        for <internals@lists.php.net>; Wed, 17 Aug 2011 05:25:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=N/XyEA2N9rVTaiafYUYlnKKZSe682W93zkf99hv1vy4=;
        b=r9pbKHlU1zrrtyKswVP/ZQfLpL/bxQI6Y9TQNib21eg6i+O4iVxufWTX5PBud78E7i
         sUShY5DkUtv2EpvVD3PgmmjQw+dqS5vvxbs++COMFnURc8BZAaz4cbHwj91v63OurXsb
         tx6agUgXogSueGxYPvps1SxyUPfR+iiXqa0t8=
MIME-Version: 1.0
Received: by 10.236.176.232 with SMTP id b68mr3104763yhm.170.1313583946162;
 Wed, 17 Aug 2011 05:25:46 -0700 (PDT)
Received: by 10.147.41.9 with HTTP; Wed, 17 Aug 2011 05:25:46 -0700 (PDT)
In-Reply-To: <4E4BB04C.3020200@thelounge.net>
References: <4E4AE153.20704@thelounge.net>
	<CAEZPtU5G_hdqA9pgD3Dw1Wk5dm7LbuoaN64JnE7b5PSBVga=-A@mail.gmail.com>
	<4E4BB04C.3020200@thelounge.net>
Date: Wed, 17 Aug 2011 14:25:46 +0200
Message-ID: <CAEZPtU5aos6Uh8N1WapG0krK2hM9SXmCeAsaTD6eu1QmkPAPrw@mail.gmail.com>
To: Reindl Harald <h.reindl@thelounge.net>
Cc: internals@lists.php.net
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] https://bugs.php.net/bug.php?id=52312
From: pierre.php@gmail.com (Pierre Joye)

hi,

On Wed, Aug 17, 2011 at 2:13 PM, Reindl Harald <h.reindl@thelounge.net> wrote:

> defaults on all servers i maintain since 10 years
> "popen" is disabled per vhost with "php_admin_value suhosin.executor.func.blacklist"
> since "disable_functions" is to dumb working on <Diretory>-directive
>
> disable_functions = "exec, passthru, shell_exec, system, proc_open, proc_close, proc_nice, proc_terminate,
> proc_get_status, pcntl_exec, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid,
> posix_setuid, mail, symlink"

symlink is not disabled in most ISPs I work with or used (and that's
quite a lot).

>>> * give us a option to bypass the check in such environments
>>
>> Well, there are other better ways to control access than relying on
>> open_basedir. Permissions are on, that's why I would not add special
>> cases here
>
> if you are hosting some hundret domains there are not really
> better ways since you will not add hundrets of system-users
> while you have to deal with FTP/SFTP
>
> and exactly these setups for some hundret domains would benefit
> most of the realpath-cache

Besides the arguments already stated in the bug report, there is no
chance that we will change this. All past attempts to "optimize"
open_basedir (and before safemode) has ended as shooting ourselves in
the knees. It is still too slow for your needs? Don't use it and rely
on system's solutions (or web server, like on IIS or many fastcgis).
It sounds bad but that's how it is.


Cheers,
--
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org