One of the people on my server needs php safe mode turned off. I had a look and the local value shows it as turned on while the master value is off. I had a look around the php.ini file, but I couldn't find the local settings in there (Redhat 7.2 BTW). Anybody feel like telling me where these local values are stored. Also, how wise is it from a security point of view to turn safe mode off. If it's not a good idea I'll just tell him to run a forum that will work with safemode turned on
It's not a good idea at all to let someone run PHP with safe mode OFF. It's a trivial matter to write a simple script that can access other people's scripts, info, etc.
My box has safe mode ON as the default (in php.ini). For MY sites that need safe mode OFF, I use the proper setting in httpd.conf. Everyone else gets safe mode ON. I'm not aware of any hosts that allow safe mode OFF for their customers, although there might be some out there that either don't care or don't know better.
I had a little look at the script and asked him what it was. The script seems to be a php forum script that doesn't require a mySQL backbone, it just saves everyting into a text file. The person confirmed this. He says he wants to test this script before he offers it to others to download to be used on (free)hosts that offer php, but don't offer mySQL...
I still don't see why it won't run under safe mode though, every other bit of php forum software I know does...
Seeing as he's not paying me, I can quite easily tell him he can forget about it and just be greatful for what he has., no offence meant to the person in question, but I put server security before anything.
This guy also wanted me to see whether I could get apache to display the hosting accounts file system if there was no index page installed. I run Ensim and by default if there is no index page it just denies permission to view the content. I think I'll just leave it like that, seems safer to me. I'm not going to go changing apache settings just to please somebody I offered free hosting.