Results 1 to 25 of 39
Thread: PHP Safe mode
-
06-17-2002, 04:48 AM #1Web Hosting Master
- Join Date
- May 2002
- Location
- UK
- Posts
- 2,997
PHP Safe mode
Once again the old problem comes up of a client asking for safe mode to be disabled because a script they downloaded won't work otherwise.
I certainly won't be disabling it but I was wondering what you guys tend to tell clients when you say no?
-
06-17-2002, 05:09 AM #2WHT Addict
- Join Date
- Oct 2001
- Location
- The Netherlands, Europe
- Posts
- 153
I would just tell them that the script they downloaded was not programmed very well. I believe that php programmers should always test their scripts on safemode php to ensure maximum compatibility.
Also I'd explain to them the huge security risks involved with disabling safemode. Tell them that any other client could look through their mysql database, hack their forum et cetera.
-
06-17-2002, 06:37 AM #3Web Hosting Master
- Join Date
- May 2002
- Location
- UK
- Posts
- 2,997
I did exactly that (even the bad programming bit) but they still aren't happy.... simply because their previous host turned safe mode off for them.
-
06-17-2002, 07:19 AM #4Web Hosting Master
- Join Date
- Feb 2002
- Location
- Australia
- Posts
- 24,027
Originally posted by Rich2k
I did exactly that (even the bad programming bit) but they still aren't happy.... simply because their previous host turned safe mode off for them.• WLVPN.com • NetProtect owned White Label VPN provider •
• Increase your hosting profits by adding VPN to your product line up •
-
06-17-2002, 08:46 AM #5WHT Addict
- Join Date
- Oct 2001
- Location
- The Netherlands, Europe
- Posts
- 153
I agree with Aussie Bob. Tell them that you are not willing to put the security of your machines on the line for only one script.
If you "need" the client and the script's not too complicated you might be able to solve the problem and please the client after all, but don't put too much time in it.
-
06-17-2002, 10:04 AM #6Web Hosting Master
- Join Date
- May 2002
- Location
- UK
- Posts
- 2,997
Oh yes, I was certainly never going to disable safe mode for a client's site
I was just wondering what you tell clients. I told them pretty much what you said originally anyway. I don't think I've ever written a PHP script that required safe mode to be disabled (then again I've never tried to access the shell from php either!)
-
06-17-2002, 03:21 PM #7Web Hosting Master
- Join Date
- Feb 2002
- Posts
- 771
We have gotten this a few times lately and we just tell them that they can choose a different script that will work in Safemode. If they are not happy we explain they have two more choices. Let us put them on a dedicated server where they can do what they want or we can send their money back.
We will not take a chance on this at all.
My 1.786645 cents (taxes)
Robert
-
06-17-2002, 04:20 PM #8WHT Addict
- Join Date
- Oct 2001
- Location
- The Netherlands, Europe
- Posts
- 153
By 'solve the problem' I didn't mean "turn safe mode off" but that you might be able to change the script to run with safemode enabled
-
06-17-2002, 07:01 PM #9Junior Guru Wannabe
- Join Date
- Mar 2002
- Posts
- 58
id not agreed whit that..
First of all i'm host some site, then lot of very usufull script whont work whit safe mode on...
Then lot of time for myself building a site if i need a safe mode off i'd expect my hosting provider will do it else i will go elsewhere !
There noting here about what you CALL bad programming...
If you have a good customer then he ask to turn safemode off for a script that need i think its important to help it,
not telling it blablabla....
My opignion..
Then most of you dont even know whats safemode do if its off ?
Anyone can even tell a problem you can have whit safe mode off ?
Then btw you can disable safemode only one domain at a time as i know..
Even whit cgi you can have security problem,
then do you disable cgi for that ??
-
06-17-2002, 07:34 PM #10WHT Addict
- Join Date
- Sep 2001
- Posts
- 135
With safe mode on you can't use scripts that write files to the server.
There are actually quite a few functions that are disabled as well.
Anyone have any useful workarounds to the PHP safe mode issue?
Telling a customer that you won't turn off safe mode does not help the customer in any way.
-
06-17-2002, 08:02 PM #11Web Hosting Master
- Join Date
- May 2001
- Location
- Dayton, Ohio
- Posts
- 4,977
Originally posted by Hey It's Me
With safe mode on you can't use scripts that write files to the server.
There are actually quite a few functions that are disabled as well.
Anyone have any useful workarounds to the PHP safe mode issue?
Telling a customer that you won't turn off safe mode does not help the customer in any way.
PHP.net is your friend...
I'd never open up a server for a single user...
-
06-18-2002, 02:33 AM #12WHT Addict
- Join Date
- Oct 2001
- Location
- The Netherlands, Europe
- Posts
- 153
Re: id not agreed whit that..
Originally posted by tech
...
Then lot of time for myself building a site if i need a safe mode off i'd expect my hosting provider will do it else i will go elsewhere !
There noting here about what you CALL bad programming...
If you have a good customer then he ask to turn safemode off for a script that need i think its important to help it,
not telling it blablabla....
Then most of you dont even know whats safemode do if its off ?
Anyone can even tell a problem you can have whit safe mode off ?
Then btw you can disable safemode only one domain at a time as i know..
Personally I'd call that a problem
Even whit cgi you can have security problem,
then do you disable cgi for that ??
-
06-18-2002, 02:39 AM #13Newbie
- Join Date
- May 2002
- Location
- Australia
- Posts
- 19
safe_mode creates more problems than adds security.
open_basedir should be enough. If someone is good enough to go around open_basedir, he would be able to go around safe_mode as well.
-
06-18-2002, 04:57 AM #14Web Hosting Master
- Join Date
- May 2002
- Location
- UK
- Posts
- 2,997
Originally posted by Hey It's Me
With safe mode on you can't use scripts that write files to the server.
I've happily written and created files with safe mode enabled. The following code would work happily with safe mode enabled
PHP Code:$fp = fopen ("/location/to/file.txt", "w");
fputs ($fp, $filecontent, strlen($filecontent));
fclose ($fp);
Anyone can even tell a problem you can have whit safe mode off ?
Then btw you can disable safemode only one domain at a time as i know..
-
06-18-2002, 05:21 AM #15Newbie
- Join Date
- May 2002
- Location
- Australia
- Posts
- 19
Originally posted by Rich2k
Oh yes you can!
I've happily written and created files with safe mode enabled. The following code would work happily with safe mode enabled
PHP Code:$fp = fopen ("/location/to/file.txt", "w");
fputs ($fp, $filecontent, strlen($filecontent));
fclose ($fp);
safe_mode doesn't prevent scripts from writing files, neither it restricts access to the file system.
It doesn't allow script to work with files owned by other uid/guid (which is more than annoying) and prohibit running system commands (which is really good).
There is open_basedir directive to restrict access to file system.
And, I believe, anyone who can do harm by running system commands from PHP, can do harm by using other possibilities in spite of safe_mode.
-
06-18-2002, 06:05 AM #16Web Hosting Master
- Join Date
- May 2002
- Location
- UK
- Posts
- 2,997
One of the good things safe mode prevents is running shell commands by disabling commands such as shell_exec()
-
06-18-2002, 06:19 PM #17Web Hosting Master
- Join Date
- Aug 2001
- Posts
- 5,065
I always thought that most hosts (like practically all of them) always have php safe-mode turned OFF...not on?
Isn`t it better to have it off...or do i have it backwards?
-
06-19-2002, 02:20 AM #18WHT Addict
- Join Date
- Oct 2001
- Location
- Aussie Land
- Posts
- 162
I have a dedicated server and will soon be running a company but I need safe mode to be off...
would this be ok? since it's not going to be used for web hosting?
Btw, can someone direct me to instructions on how to turn safe mode on/off?
Thanks
-
06-19-2002, 02:34 AM #19Newbie
- Join Date
- May 2002
- Location
- Australia
- Posts
- 19
Originally posted by dragonhawk
Btw, can someone direct me to instructions on how to turn safe mode on/off?
Will this one do?
-
06-19-2002, 02:38 AM #20WHT Addict
- Join Date
- Oct 2001
- Location
- Aussie Land
- Posts
- 162
Thanks
-
06-19-2002, 02:41 AM #21WHT Addict
- Join Date
- Oct 2001
- Location
- The Netherlands, Europe
- Posts
- 153
Originally posted by dragonhawk
I have a dedicated server and will soon be running a company but I need safe mode to be off...
would this be ok? since it's not going to be used for web hosting?
....
(okay, okay.. except if you want to develop scripts and want them to be 'compatible' with safe_mode)
-
06-19-2002, 04:55 AM #22Web Hosting Master
- Join Date
- May 2002
- Location
- UK
- Posts
- 2,997
I'll be interesting to find out what webhosts do... on or off.
-
06-19-2002, 10:29 AM #23Aspiring Evangelist
- Join Date
- Nov 2000
- Location
- Austin, TX
- Posts
- 415
Personally, I find this ridiculous. Most of you offer SSH or Telnet access but will not turn safe_mode off? safe_mode is only a security risk if you do not have your servers decently secure. Permissions are still active with safe_mode enabled...and anything executed through php runs with the httpd user. I use the same policy with turning safe_mode off as I do with granting SSH access. My setup allows me to turn safe_mode off on a per-site basis, however. Unless someone is stupid enough to chmod everything 777, there is no problem with enabling safe_mode, its like giving a pencil to a prisoner. A pencil in anyone else's hands would be harmless, but with determination, anything can become a weapon.
Justin Bachus
BlastHosting, LLC - Professional web hosting at a low price with
PHP, MySQL, FreeBSD, and more!
http://www.blasthosting.com
-
06-19-2002, 11:05 AM #24WHT Addict
- Join Date
- Oct 2001
- Location
- The Netherlands, Europe
- Posts
- 153
Justin, I totally disagree with you
With safe_mode off you still have the standard unix permissions system, but the problem is that a php script has the same permissions as apache.
Now apache is, of course, allowed to read php scripts and the mysql passwords included in those scripts.
If safe_mode is off, anyones script can access everyone elses php scripts and mysql passwords.
Enabling ssh access does not allow user A to access user B's files (provided the permissions are set correctly), but disabling safe_mode does.
-
06-19-2002, 12:05 PM #25Aspiring Evangelist
- Join Date
- Nov 2000
- Location
- Austin, TX
- Posts
- 415
Originally posted by T_E_O
Enabling ssh access does not allow user A to access user B's files (provided the permissions are set correctly), but disabling safe_mode does.Justin Bachus
BlastHosting, LLC - Professional web hosting at a low price with
PHP, MySQL, FreeBSD, and more!
http://www.blasthosting.com