SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Zealot secoif's Avatar
    Join Date
    Jul 2006
    Location
    Brisbane, Australia
    Posts
    144
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Hacking PHP: Safe mode... What are the real dangers?

    Lets say I rent a virtual dedicated hosting package and have about 16 website clients.

    I have full control over php settings, etc.

    For some functions of the CMS I use, it requests that safe_mode be off.

    Now i just leave safe_mode off for simplicity, but what is the actual issue?

    what is the real danger? users accessing other users data?

    How?

    From http://www.webhostgear.com/319.html:
    The biggest problem with PHP is that on cPanel servers is that PHP will run as nobody. When someone sets a script to 777 access that means the nobody user has write access to that file. So if someone on the same shared server wrote a script to search the system for 777 files they could inject anything they wanted, compromising the unsuspecting users account.
    I use Plesk on this particular server so is this still an issue? What if I don't leave any files with 777 privileges?

    Additionally, most of my clients are of the "Microsoft Word is too complex" and "How did they know I needed Viagra?" type, so the likelyhood of them writing malicious php scripts is slim...Is there a threat from external users?

    Does anyone have any experience hacking or being hacked with php safe mode off?

    is this a realistic threat?
    Last edited by secoif; Jan 31, 2007 at 04:28.

  2. #2
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    safe_mode is pretty useless and can be safely turned off.

    open_basedir and disable_functions are usually good enough to protect users from each other on a shared hosting. If security is a major concern, you can also consider running php as suexec cgi.

  3. #3
    SitePoint Zealot secoif's Avatar
    Join Date
    Jul 2006
    Location
    Brisbane, Australia
    Posts
    144
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, if it's useless why are so many companies so very reluctant to turn it off?

    What do they think they know that i don't?

  4. #4
    SitePoint Zealot
    Join Date
    Jun 2006
    Posts
    133
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Safe mode is already slated to be removed from future PHP versions.

  5. #5
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    They see the words "safe mode" and say, "Oh, that must be a mode where PHP is safe! Let's use it!!" Really, it's akin to running Windows in Safe Mode - it only occasionally proves useful in pretty specific circumstances, and you're just crippling yourself in you run in it all the time.
    PHP questions? RTFM
    MySQL questions? RTFM

  6. #6
    SitePoint Zealot secoif's Avatar
    Join Date
    Jul 2006
    Location
    Brisbane, Australia
    Posts
    144
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    From http://us2.php.net/features.safe-mode:
    The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now.
    "since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now"

    So have solutions been put in place since the time of that article being written? Or is php just making a stand saying:

    "we're not going to support this anymore, so you have to do something about this now. hahaha"

    What I'm saying is:
    Since it's been removed, does this mean that servers are now secured and don't need safe mode anymore, or is it simply trying to force change? ??

  7. #7
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The manual is right about safe mode being "incorrect approach". Safe mode doesn't make php "safer" in any way. It is extremely easy to overcome by hackers and awfully inconvenient for normal users.

  8. #8
    SitePoint Wizard siteguru's Avatar
    Join Date
    Oct 2002
    Location
    Scotland
    Posts
    3,631
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    My host has safe_mode Off.

    (Thank you for reading this probably pointless and inconsequential post )
    Ian Anderson
    www.siteguru.co.uk

  9. #9
    SitePoint Zealot secoif's Avatar
    Join Date
    Jul 2006
    Location
    Brisbane, Australia
    Posts
    144
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    when you say it's easy to overcome by hackers.... How? how does someone hack php?

    I guess i coudl do a google search, but yeah i just wanted to know if anyone actually knew anything about it

  10. #10
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This article explains it well.

    PHP's safe_mode or how not to implement security, by Ilia Alshanetsky
    http://ilia.ws/archives/18-PHPs-safe...-security.html

  11. #11
    SitePoint Zealot secoif's Avatar
    Join Date
    Jul 2006
    Location
    Brisbane, Australia
    Posts
    144
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    unclear on what the definitive solution is.

    Agreed, that is a good article and certainly shed some light on the issue for me, but...despite all this, I am still unclear on what the definitive solution is.

    !!!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •