Results 1 to 8 of 8
  1. #1
    Join Date
    Feb 2002
    Posts
    1,926

    turning php safe mode off for local

    Hi,

    One of the people on my server needs php safe mode turned off. I had a look and the local value shows it as turned on while the master value is off. I had a look around the php.ini file, but I couldn't find the local settings in there (Redhat 7.2 BTW). Anybody feel like telling me where these local values are stored. Also, how wise is it from a security point of view to turn safe mode off. If it's not a good idea I'll just tell him to run a forum that will work with safemode turned on

  2. #2
    Join Date
    Nov 2000
    Location
    Moran, Ks
    Posts
    186
    If it is a virtual hosting setup, a good place to start looking would be in the webserver configuration file, (probably httpd.conf) specifically in the virtualhost container for that domain.

    Look for a line like...
    php_admin_value safe_mode 1

  3. #3
    Join Date
    Oct 2000
    Location
    Israel
    Posts
    1,286
    It's not a good idea at all to let someone run PHP with safe mode OFF. It's a trivial matter to write a simple script that can access other people's scripts, info, etc.

    My box has safe mode ON as the default (in php.ini). For MY sites that need safe mode OFF, I use the proper setting in httpd.conf. Everyone else gets safe mode ON. I'm not aware of any hosts that allow safe mode OFF for their customers, although there might be some out there that either don't care or don't know better.

  4. #4
    Join Date
    Feb 2002
    Posts
    1,926
    Hmm, ok, guess I'll just tell him he'll have to test his script elsewhere...

  5. #5
    Join Date
    May 2002
    Location
    UK
    Posts
    2,994
    I would be interested to know what he is doing in his script that requires safe mode to be off.

  6. #6
    Join Date
    Oct 2000
    Location
    Israel
    Posts
    1,286
    Originally posted by Rich2k
    I would be interested to know what he is doing in his script that requires safe mode to be off.
    Aaah, now that's a good question.

  7. #7
    Join Date
    Feb 2002
    Posts
    1,926
    I had a little look at the script and asked him what it was. The script seems to be a php forum script that doesn't require a mySQL backbone, it just saves everyting into a text file. The person confirmed this. He says he wants to test this script before he offers it to others to download to be used on (free)hosts that offer php, but don't offer mySQL...

    I still don't see why it won't run under safe mode though, every other bit of php forum software I know does...

    Seeing as he's not paying me, I can quite easily tell him he can forget about it and just be greatful for what he has., no offence meant to the person in question, but I put server security before anything.

    This guy also wanted me to see whether I could get apache to display the hosting accounts file system if there was no index page installed. I run Ensim and by default if there is no index page it just denies permission to view the content. I think I'll just leave it like that, seems safer to me. I'm not going to go changing apache settings just to please somebody I offered free hosting.

  8. #8
    Join Date
    Jul 2001
    Posts
    892
    Would it not be ok if open_basedir restriction was set?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •