Secure shared web hosting using MAC Framework
Simon L. Nielsen
simon at FreeBSD.org
Sun Feb 25 11:17:10 UTC 2007
On 2007.02.21 22:18:15 +0100, Momchil Ivanov wrote:
> > But is there any way to disbale related php functions? is there any well
> > defined configuration examples for mod_php?
>
> Is this what you are looking for:
> http://www.php.net/manual/en/features.safe-mode.php
You should not rely on PHP safe mode and related features working
since it's broken by design. There is a reason this was added to the
default php.ini on FreeBSD:
SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
the PHP Safe Mode feature not be relied upon for security, since the
issues Safe Mode tries to handle cannot properly be handled in PHP
(primarily due to PHP's use of external libraries). While many bugs
in Safe Mode has been fixed it's very likely that more issues exist
which allows a user to bypass Safe Mode restrictions.
For increased security we always recommend to install the Suhosin
extension.
Running untrusted code in PHP just as unsafe as any other untrusted
program on your system.
It can be OK to use safe mode related features as an extra layer of
trouble an attacker has to get through, but you should still treat the
setup as though the safe mode stuff isn't there and assume people can
break it.
See also http://www.vuxml.org/freebsd/pkg-php5.html for more
information on why safe mode shouldn't be trusted.
--
Simon L. Nielsen
FreeBSD Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070225/07b3dc53/attachment.pgp
More information about the freebsd-security
mailing list