r@tchet wrote: > I see why you'd push for engine=off...but wouldn't that break other > packages like phpMyAdmin and Squirrelmail? Not if they are prepared for the change by using php_flag engine On in their htaccess or equivalent. > Just thinking through the whole scenario...if the engine was forced off > and you had to manually go turn it on then all of the packages that use > php through the web would then require apache configurations to turn it > back on...which I dare say is creating extra work for people that wouldn't > understand why. Yeah, it would be a fair bit more work, but worth it. If they want php on globally, they can read the notes in NEWS.Debian and in php.ini about the security issues, and perhaps it might also tell them to look into safe_mode for extra security. > For me personally I leave PHP on b/c I can trust my users...or by default > they should have appropriate privileges to run PHP apps. I suppose this is often the case, not sure of the relative ratios of trusting everyone on the server to trusting only a few users though. > Just wondering which setup is the more common. I'd say the globally enabled option is more common (as the default) simply because ppl won't bother changing such this until they are cracked or something (this is what happened in my case). > Perhaps it should be that on installation of PHP there was an option to > select if the engine should be on or off by default (which may be your > original suggestion). I do agree that just because you install something > doesn't mean you want to turn everything on by default...take suExec in > Apache for example. That'd be acceptable to me as long as stuff like phpmyadmin/etc worked out-of-the-deb with engine=off - ie, they'd put "php_flag engine On" in their htaccess or equivalent. I suppose I should be filing wishlist bugs post-sarge instead of bringing this up here, I can only hope the php/php webapps maintainers will agree with me. -- bye, pabs
Attachment:
signature.asc
Description: This is a digitally signed message part