once I enabled exec() and other execute commands protection and a client told me that some os his scripts stoped working (for example, picKLE gallery ( http://picklegallery.sourceforge.net/ ).
Is there some famous script that won't work? i think it worths to loose 2 or 3 clients in order to have a more secure server.
also, just phpsuexec wouldn't be enough (or maybe even better)?
Originally posted by thelinuxguy yes / no. Like anything you can always find a way to bypass things. sure safe modes good for php scripts what happens with perl? nothing, exploitable script, boom compromise.
Originally posted by thelinuxguy lets say you got an old kernel. someone could upload a local kernel exploit exploit your server under their user and get root access.
the point here is something like
"how to prevent users using php to do things that they can't do with a non-jailed shell account?"
users can only use perl to do things that they would get to do with a non-jailed shell account... but with php running as nobody, users can probably access all other users dirs and other things (unless you put restrictions like open_basedir and phpsuexec)
probably the best restriction is phpsuexec... is there some negative points about that?