[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Document the bug fix policy regarding PHP Safe Mode

Florian Weimer <fw@deneb.enyo.de> wrote:

> Multi-user servers where most users have shell access are a non-issue
> as far as PHP Safe Mode is concerned.  The desire behind Safe Mode is
> that your users can upload arbitrary PHP scripts, and still don't get
> shell access to the box.

No. PHP Safe Mode is also used to "secure" mod_php, i.e. to prevent
users from compromising the account your Apache processes and your
users' mod_php scripts run as. In this context it does not matter
whether your users have shell access or not.

> [...]

> I've been told that Safe Mode is indeed very annoying for users, so
> it wouldn't be that useful in an ISP environment, even if it were
> actually secure.

It might be annoying for some users, others prefer the higher speed of
mod_php compared to PHP via CGI (using suexec). This also lowers the
system load caused by those scripts.

Anyway, regardless of whether Debian supports Safe Mode or not, I would
very much appreciate a clear, official statement concerning this issue,
e.g. by publishing the text Florian suggested in his first mail on this
topic somewhere on Debian's website.


Reply to: