[BlueOnyx:08195] Re: open_basedir bug in the SuPHP
Jeff Folk
jfolk at qzoneinc.com
Mon Aug 22 21:57:08 -05 2011
On Aug 22, 2011, at 7:55 PM, Jason Ozin wrote:
>
> Thanks for confirming the bug Jeff but that is horrible fix Jeff as it opens up quite a bit of a security hole.
Not according to Michael...
> I said:
> I hope that isn't too loose a setting... can sites cross boundaries?
If suPHP is enabled on all sites, then the ownerships will prevent that, as a
suPHP enabled script can't snoop stuff that's owned by another UID/GID.
If there are sites where "just normal" PHP is enabled, then the more
restrictive open_basedir settings in that site's siteX Apache config will
restrict that they access anything else.
So in theory this should be fine. In practical terms it could be better. Like
if we had a setup where each suPHP enabled site had it's own php.ini. However,
that's not that easy to set up and I've set that aside for a later time for
now.
More information about the Blueonyx
mailing list