| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200506201520.31988@bwurst.org> Date: Mon Jun 20 14:20:43 2005 From: bernd at bwurst.org (Bernd Wurst) Subject: Security of suphp Hallo. Am Montag, 20. Juni 2005 14:37 schrieb Stefan Esser: > do yourself a favour and do not use safe_mode. safe_mode is not, was > never and simply can never be secure. It is deprecated. > > There are simply too many ways to break out of safe_mode through 3rd > party libraries like f.e. libcurl. Yes, I fully acknowledge this. I also don't like safe_mode as a user, it creates trouble with script-uploaded-files and so on. safe_mode sucks and is deprecated BUT there's no working alternative for PHP used as an apache module! If you restrict some 3rd party libs, it's "secure enough" (I know that this term should never be said). Using plain mod_php for user-scripts without safe_mode is not an alternative because user's can run any script and read any file the webserver has access to via the webserver's user ID! That's why I'm interested in suphp. What do you suppose for a regular shared hosting including user-uploaded scripts? PHP via CGI? Is that better than suphp? I don't think that's much of a difference. cu, Bernd -- Wenn Freiheit ?berhaupt etwas bedeutet, dann vor allem das Recht, anderen Leuten das zu sagen, was sie nicht h?ren wollen. - George Orwell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 827 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050620/495819c1/attachment.bin
Powered by blists - more mailing lists