Re: Secure shared web hosting using MAC Framework

From: "Simon L. Nielsen" <simon@xxxxxxxxxxx>
Date: Sun, 25 Feb 2007 12:17:08 +0100

On 2007.02.21 22:18:15 +0100, Momchil Ivanov wrote:

But is there any way to disbale related php functions? is there any well
defined configuration examples for mod_php?

Is this what you are looking for:
http://www.php.net/manual/en/features.safe-mode.php

You should not rely on PHP safe mode and related features working
since it's broken by design. There is a reason this was added to the
default php.ini on FreeBSD:

SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
the PHP Safe Mode feature not be relied upon for security, since the
issues Safe Mode tries to handle cannot properly be handled in PHP
(primarily due to PHP's use of external libraries). While many bugs
in Safe Mode has been fixed it's very likely that more issues exist
which allows a user to bypass Safe Mode restrictions.
For increased security we always recommend to install the Suhosin
extension.

Running untrusted code in PHP just as unsafe as any other untrusted
program on your system.

It can be OK to use safe mode related features as an extra layer of
trouble an attacker has to get through, but you should still treat the
setup as though the safe mode stuff isn't there and assume people can
break it.

See also http://www.vuxml.org/freebsd/pkg-php5.html for more
information on why safe mode shouldn't be trusted.

--
Simon L. Nielsen
FreeBSD Security Team

Attachment: pgp4ZhzqVHW4h.pgp
Description: PGP signature

References:
- Secure shared web hosting using MAC Framework
  - From: Alexis Susset
- Re: Secure shared web hosting using MAC Framework
  - From: Stanislav Sedov
- Re: Secure shared web hosting using MAC Framework
  - From: Nikolay Pavlov
- Re: Secure shared web hosting using MAC Framework
  - From: Momchil Ivanov

Prev by Date: Re: Secure shared web hosting using MAC Framework
Next by Date: Re: Advice for Internet facing Mailserver
Previous by thread: Re: Secure shared web hosting using MAC Framework
Next by thread: Advice for Internet facing Mailserver
Index(es):
- Date
- Thread

Relevant Pages

Re: php safe mode and squirrelmail
... > One way to do this seems to be to enable php's safe mode. ... > with that is that it breaks squirrelmail. ... > without enabling the full php safe mode. ...
(Fedora)
RE: Unwanted Pages and Favourites
... I will set all my security stuff to high as you ... "nass" wrote: ... Yes you should Scan in safe Mode to be in the safe side. ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: PC wont boot up - LSASS.exe problem ???
... and as I can see you know what I know (safe mode). ... destroying files and the windows operating system. ... "orphans" are detected as traces or variants of the threat if there ... Process Name: Local Security Authority Service ...
(microsoft.public.security)
Re: Drives not recognized by XP
... You need to boot into Safe Mode by pressing F8 before Windows loads and ... Click the Security tab, and then click OK on the Security message ... If you want to take ownership of the contents of that folder, ... >>drive with 7 partitions and a 13G hard drive with two ...
(microsoft.public.windowsxp.hardware)
Re: XP Security Panel
... Anything that lets you modify xp home security without ... booting into safe mode all the time is better. ... > Tecknomage wrote: ... > access to Control Panel, or the> the home finance program you ...
(microsoft.public.windowsxp.general)