Hey, yup it is kind of dangerous, there is no argument there. Currenly i have php running safemode, and apache is running with user nobody. This combination makes it imposible for any filesystem commands to work on anything that isnt owned by nobody.. its an interesting situatoin i beleive... ive enjoyed reading documentaiton on these things. Jason jabber@xxxxxxxxxxx wrote: > > > Jason Davidson wrote: > > >Anywys.. heres the question.. what do you think is the most viable > >solution for security. > >1. run apache in chroot envirnment. > >2. run php in safe_mode > >3. simply str_replace all filesystem functions with nothing. > >4. use the disable_function settings to disable filesystem functions... > > > >5. .all of these > >6. none of these.... > >7 . other. > > > > > > > > > All of those and a many more things besides! > for example the mail() function can send mail through the localy > installed smtp server without a username and password so you need to > watch for the mail function or perhaps even attempts to open a socket on > localhost host. You will then need to watch out for include or fopen > urls that will eat up bandwidth or worse. > all in all i think this is pretty dangerous. > > >THanks > >Jason > > > > > > > > > -- > Raditha Dissanayake. > ------------------------------------------------------------------------ > http://www.radinks.com/sftp/ | http://www.raditha.com/megaupload > Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader > Graphical User Inteface. Just 128 KB | with progress bar. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
