where is the security in PHP 5.4 by removing safe_mode

Asked 19/3, 2012 at 0:16 Answered 19/3, 2012 at 0:22

I've got a sticky question in my mind: safe_mode has removed in PHP 5.4, so what is the security in this removal?

Does it mean that any application can execute any program?

What technique is used for this purpose to prevent such violent actions?

Lafleur answered 19/3, 2012 at 0:16 Comment(0)

This article Will explain you why safe_mode has never made a single bit of sense and only provides you a false sense of security.

Ubald answered 19/3, 2012 at 0:20 Comment(1)

PHP developers also mentioned in Safe Mode documentation: "The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now.". They just tried to deal with something that should be dealt on different level. PHP 5.4 fixed that, PHP 5.4 is now more mature language. – Hermitage 19/3, 2012 at 0:24

safe_mode was trying to solve a security problem with the wrong tool. Since shared webhosts often host thousands of websites on one server, safe_mode was a convienent (and entirely inappropriate) method to restrict the damage one could do with PHP.

It was an illusion more than anything else. Though PHP may have been protected with safe_mode, what about other languages like Python and Ruby? The proper method is to use default linux file permissions and modules like suPHP which run PHP as restricted users.

Animate answered 19/3, 2012 at 0:22 Comment(1)

but, what if I do not give the user any FTP permissions, but an online website that allows him to create files limited to certain file types? Say if he was only allowed to use php with safe mode and only allowed to create html, css, js and php files? What's so insecure and illusionary in this? – Hambletonian 28/9, 2017 at 16:30

Recommended topics

Hot tags