Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:8620 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38357 invoked by uid 1010); 19 Mar 2004 20:43:37 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 38247 invoked from network); 19 Mar 2004 20:43:36 -0000 Received: from unknown (HELO colo.lerdorf.com) (66.198.51.121) by pb1.pair.com with SMTP; 19 Mar 2004 20:43:36 -0000 Received: from rasmus2.corp.yahoo.com (rasmus2.corp.yahoo.com [207.126.233.18]) by colo.lerdorf.com (8.12.11/8.12.11/Debian-3) with ESMTP id i2JKhY88028057; Fri, 19 Mar 2004 12:43:34 -0800 Date: Fri, 19 Mar 2004 12:43:29 -0800 (PST) X-X-Sender: rasmus@thinkpad.lerdorf.com To: boulat@funio.com cc: ilia@prohost.org, internals@lists.php.net In-Reply-To: <63330.66.158.132.127.1079724184.squirrel@www.funio.com> Message-ID: References: <61700.66.158.132.127.1079718509.squirrel@www.funio.com> <60174.66.158.132.127.1079720363.squirrel@www.funio.com> <200403191323.33174.ilia@prohost.org> <63330.66.158.132.127.1079724184.squirrel@www.funio.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-4.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on colo Subject: Re: [PHP-DEV] new security related directive for php-4.3.4 From: rasmus@php.net (Rasmus Lerdorf) On Fri, 19 Mar 2004 boulat@funio.com wrote: > The reason why I would want to play with settings in php.ini or/and > httpd.conf often is because everytime I modify those config files I MUST > restart apache in order for changes to take place, meaning I will have > DOWNTIME. Now imagine hundreds of new accounts added per day to your > hosting machine, that means the webserver will end up getting restarted > hundreds of times... Hundreds of seconds per day add up to minutes of > downtime... and as we all know downtime is something everyone tries to > avoid at all costs. That's a good point. But this implementation still doesn't seem very slick to me. What about something like: open_basedir = /var/www/{user}/public_html Where {user} would map to the owner of the script being executed. Other things that might be supported as well: {group}, {regex:a.*$}, {host} and probably other things as well. I haven't thought through this very much yet, but that seems like a more flexible approach to this problem. -Rasmus