Re: debian webapps working with php.ini engine=off by default?
I see why you'd push for engine=off...but wouldn't that break other
packages like phpMyAdmin and Squirrelmail?
Just thinking through the whole scenario...if the engine was forced off
and you had to manually go turn it on then all of the packages that use
php through the web would then require apache configurations to turn it
back on...which I dare say is creating extra work for people that wouldn't
understand why.
For me personally I leave PHP on b/c I can trust my users...or by default
they should have appropriate privileges to run PHP apps.
Just wondering which setup is the more common.
Perhaps it should be that on installation of PHP there was an option to
select if the engine should be on or off by default (which may be your
original suggestion). I do agree that just because you install something
doesn't mean you want to turn everything on by default...take suExec in
Apache for example.
> Pierre Habouzit wrote:
>
>> there is no place for flames here ;p
>
> ;)
>
>> I don't what the point of that change is ...
>> what is your gain here ?
>
> Security in two scenarios:
>
> I have users who can upload via sftp/ftp, but not run anything on the
> server. I also have some sites and webapps, some of which I want to
> enable php on. However, I don't trust any of the users (current/future)
> with php access. Therefore it would be nice if the webapps worked with
> engine=off by default.
>
> I have a webapp that allows the public to upload stuff, which can be
> then downloaded again. I only want the scripts that handle this
> uploading to be executed, and not any of the files that get uploaded.
> Therefore it would be nice if the webapp worked with engine=off by
> default.
>
> There may be more I can't think of.
>
> --
> bye,
> pabs
>
Reply to: