Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:8625
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Date: Fri, 19 Mar 2004 13:13:45 -0800 (PST)
To: Ilia Alshanetsky <ilia@prohost.org>
cc: internals@lists.php.net, boulat@funio.com
In-Reply-To: <200403191609.28127.ilia@prohost.org>
Message-ID: <Pine.LNX.4.58.0403191312320.2205@thinkpad.lerdorf.com>
References: <61700.66.158.132.127.1079718509.squirrel@www.funio.com>
 <200403191602.17011.ilia@prohost.org> <Pine.LNX.4.58.0403191303580.2205@thinkpad.lerdorf.com>
 <200403191609.28127.ilia@prohost.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] new security related directive for php-4.3.4
From: rasmus@php.net (Rasmus Lerdorf)

On Fri, 19 Mar 2004, Ilia Alshanetsky wrote:

> On March 19, 2004 04:05 pm, you wrote:
> > If you are using open_basedir at all, you have already given up all hope
> > of any sort of performance.
> 
> Certainly, but this would make the existing situation much worse then it 
> already is. Ideally fastcgi or ap2 should be used where it is possible to 
> make the web server processes run under the user's account hence avoiding the 
> needed for open_basedir, safe_mode, etc... all together.

The code could easily be written such that there is virtually no 
performance degradation unless the dir actually contains a {} component, 
so I don't buy that argument.  We are always trading convenience for 
performance here.

-Rasmus