[BlueOnyx:03118] Re: php error

Darrell D. Mobley dmobley at uhostme.com
Wed Dec 16 11:16:51 -05 2009 

> -----Original Message-----
> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it]
> On Behalf Of Stephanie Sullivan
> Sent: Wednesday, December 16, 2009 10:13 AM
> To: 'BlueOnyx General Mailing List'
> Subject: [BlueOnyx:03117] Re: php error
> 
> There are two things to consider:
> 	1) in php.ini - is safe mode on? I go with yes.
> 	2) in php.ini - is safe mode gid on? I'd bet no and suggest turning
> it on.
> 
> With php includes in safe_mode the owner of the including script must be
> the same as the script being included. If not, no joy.
> 
> Safe mode gid tells php to use the group rather than the owner as the
> basis. So, files of different owners than the calling php file can load
those
> files with an include.
> 
> Here are some safe mode controls from my php.ini
> 
> safe_mode = On
> safe_mode_gid = On

There is some confusion about this to me and probably others.  According to
this webpage, http://aymanh.com/checklist-for-securing-php-configuration,
safe_mode and safe_mode_gid are not supposed to be enabled together, rather
individually:

"In its default state, PHP's safe mode is too restrictive for any advanced
development to be possible. However, there are several settings to relax it.
The biggest problem with safe mode is that only files owned by Apache are
accessible to PHP scripts. This is often impractical when many developers
are working on the same project, or when you want PHP to read a file without
changing its ownership. Another affected situation is when you want PHP to
read files generated by other programs. To work around this, there is a
setting that checks for file group instead of owner:

safe_mode = Off
safe_mode_gid = On

With safe_mode_gid enabled instead of safe_mode, PHP will be able to open
files that belong to Apache's group regardless of the owner. So if there are
several developers working on the same server, add them to Apache's group,
make it their default group, and everything should be set."

Also, I was the one asking about exec the other day, and using safe_mode_gid
together with an exec include directory, I should be able to run binaries
such as ImageMagick.  The question I have is, as the page listed above
states, I could create a directory and put symbolic links to binaries in it
for the web sites who wanted to use ImageMagick.  This would allow me to
isolate only binaries that are safe for websites to execute.  Therefore, the
question is, what binaries other than the ImageMagick ones, are usable by a
web site?

More information about the Blueonyx mailing list