Re: Security of suphp

[Bernd Wurst <bernd () bwurst org>]

Hallo.

Am Montag, 20. Juni 2005 14:37 schrieb Stefan Esser:
> do yourself a favour and do not use safe_mode. safe_mode is not, was
> never and simply can never be secure. It is deprecated.
>
> There are simply too many ways to break out of safe_mode through 3rd
> party libraries like f.e. libcurl.

Yes, I fully acknowledge this. I also don't like safe_mode as a user, it 
creates trouble with script-uploaded-files and so on. safe_mode sucks 
and is deprecated BUT there's no working alternative for PHP used as an 
apache module! If you restrict some 3rd party libs, it's "secure 
enough" (I know that this term should never be said).

Using plain mod_php for user-scripts without safe_mode is not an 
alternative because user's can run any script and read any file the 
webserver has access to via the webserver's user ID!
That's why I'm interested in suphp.

What do you suppose for a regular shared hosting including user-uploaded 
scripts? PHP via CGI? Is that better than suphp? I don't think that's 
much of a difference.

cu, Bernd

-- 
Wenn Freiheit überhaupt etwas bedeutet, dann vor allem das Recht,
anderen Leuten das zu sagen, was sie nicht hören wollen.
  -  George Orwell

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/