On Tue, February 10, 2009 11:13, Daniel Rheinbay wrote: > Would you happen to run your boards with safe mode turned off? Given > that it's been removed in php6 (cf. http://www.php.net/features.safe-mode , > though not yet released) and we'll upgrade at some point anyways, I guess > we should consider turning it off?
safe_mode is not a real security solution, that is why PHP has abandoned it for their 6.0 release and Debian doesn't treat bugs in the safe_mode restrictions as being security-relevant. There's quite some documentations on its shortcomings around the net. It will only have benefits in very specific environments, and there are much better ways to isolate applications on a host. open_basedir may help somewhat, but a good solution would be to use suEXEC + FastCGI to run the application under a dedicated user. If turning it off resolves the problem for you I suggest you do that and investigate better avenues for isolation. Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
