Re: Document the bug fix policy regarding PHP Safe Mode
Florian Weimer <firstname.lastname@example.org> wrote:
> Multi-user servers where most users have shell access are a non-issue
> as far as PHP Safe Mode is concerned. The desire behind Safe Mode is
> that your users can upload arbitrary PHP scripts, and still don't get
> shell access to the box.
No. PHP Safe Mode is also used to "secure" mod_php, i.e. to prevent
users from compromising the account your Apache processes and your
users' mod_php scripts run as. In this context it does not matter
whether your users have shell access or not.
> I've been told that Safe Mode is indeed very annoying for users, so
> it wouldn't be that useful in an ISP environment, even if it were
> actually secure.
It might be annoying for some users, others prefer the higher speed of
mod_php compared to PHP via CGI (using suexec). This also lowers the
system load caused by those scripts.
Anyway, regardless of whether Debian supports Safe Mode or not, I would
very much appreciate a clear, official statement concerning this issue,
e.g. by publishing the text Florian suggested in his first mail on this
topic somewhere on Debian's website.