Whats the difference between running PHP in safemode and not in safemode?

Thanks!

not running in safe mode enables potentially dangerous commands to be run from a script. I dont know any details, just that much

I have come to the conclusion that 99% Webhosts have NO IDEA of what PHP can or will do to their server at any given time. It's considered by most to be a simple mostly ignorable apache-module ala mod-dbm that just happened to come built into thier Redhat server, and not a well understood and supported programming environment. Maybe that's a testament to PHPs security and stability, or not. It seems like most people aren't clear on that either.

Hopefully this will incite someone to provide insite or at least links :)

Jake

you might like to take a look at this thread in one of the other parts of the forum

http://www.webhostingtalk.com/showthread.php?s=&threadid=55524

PHP on it's own is not secure. The sys admin needs to make sure that the server is secured and that the various web component are properly setup. In the case of PHP, when safemode is enabled, it prevents users from doing not-nice things to your server.

For example, if safemode is OFF, a user would be able to write a PHP script that could read any other user's scripts. This actually means more than just being able to steal someone else's script source code. By being able to read the scripts, they can get database info (username/password) and thereby gain access to databases, etc. Safemode also protects against resource hogs, and allows the sysadmin to define certain actions (such as email sending) as off limits.

It is highly recommended to have safemode ON.

Maybe that's a testament to PHPs security and stability, or not.

I don't think the ignorance of a sysadmin provides PHP with a testament to anything. I think PHP is quite secure (one minor exploit in recent memory), and I can't think of anything unstable about it. Maybe sockets, which seem buggy. But they do warn you about it.


...and not a well understood and supported programming environment.

I would have to say it's very well supported. When the above exploit was published, there was a fix released very quickly. As for it being well understood, I think that reflects upon the person trying to understand it. If you don't understand it, I guess it's not well understood by you :) Check out http://www.php.net

You can't confuse the tool with the user of the tool. PHP is a tool. One of many.

As for safe mode, check out

http://www.php.net/manual/en/features.safe-mode.php

I can't really elaborate on that, it says it all.

I agree with most of the comments above, php safe mode is their to protect you. But you can turn it off for individual sites, that you personaly operate.

Yes PHP is quite secure from the remote point of view but safe mode deals with the local point of view and when safe mode is off you can run all sorts of shell commands and access other users files.

On my box I've got safe mode OFF for my sites and cron jobs. I've got safe mode ON for my hosting customers. Am I a nice guy or what?.

I do that because I have a few scripts on my own sites monitoring uptime, disk space and whether certain things are still running... can't do that with safe mode on.

safemode is just the easy way of doing it. It's like the magic_quotes...

The best security IMO is using open_basedir it allows you to "lock" them into their directory. This way they can't access other users scripts.

How would u do that ? I mean disabling safe mode for some sites and crons and enable it for the others ?

Safe mode is a hack which doesn't work especially well even at the best of times. The only secure solution is to run via a setuid wrapper (ie, suexec).

You can set php admin directives for each virtual host thus you can turn safe mode and open_base_dir off for certain virtual hosts.

Rich, this is done in php.ini or httpd.conf ?

Could you plz give an example or point me to some url that covers such thing. Help is much appreciated.

Can someone tell me how to disable php safe mode for individual accounts?

Leave safe mode off and I will write a script which emulates the command line and gives shell access from the browser....muaaaaaaaaahhh! :angry:

linuxnewbie,
Go into /etc/php.ini and make sure safe_mode is set to on. Then you can give any virtual host any php function or turn safe mode off for each site by editing the apache virtual hosting container for that site.

Thank Driverdave for the link:
http://www.php.net/manual/en/features.safe-mode.php

See the notes and look at the apache containers. This will give you an idea on how to allow safe mode for your users. Good luck.

Thanks! :) Think I can take it from here! :D

Appreciate it!

Originally posted by Abu Mami
This actually means more than just being able to steal someone else's script source code. By being able to read the scripts, they can get database info (username/password) and thereby gain access to databases, etc.

:idea: r-------- :rolleyes: