----- Original Message -----
From: "Ken Marcus - Precision Web Hosting, Inc."
<kenmarcus (at mark) precisionweb.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Wednesday, December 06, 2006 2:58 PM
Subject: [coba-e:08117] Re: disable_functions directive in the php.ini
>
> From: "Dogsbody" <dan (at mark) dogsbody.org>
>
>
>>
>>> In reading at http://se2.php.net/features.safe-mode
>>> I noticed the disable_functions option in the php.ini
>>>
>>> The example given was:
>>> disable_functions = shell_exec,exec,system,dbmopen,
>>> suexec,escapeshellcmd,show_source,escapeshellarg
>>>
>>> Anyone have any ideas on this?
>>> Would it be a good idea to add these or other directives to the php.ini
>>> (not the one used for the GUI but the php.ini used for the sites) ?
>>
>>
>> Sounds like a good idea to me!
>>
>> Dan
>
> I actually checked a little more and the escapeshellcmd and escapeshellarg
> actually are (as far as I can tell) just used for escaping control type
> characters from user input. So, those 2 should probably not be disabled.
>
> Also, dbmopen is used for accessing dbm files which has legitimate uses.
> http://us2.php.net/dbmopen
>
>
>
> ----
> Ken Marcus
> Precision Web Hosting, Inc.
> http://www.precisionweb.net
>
As long as we are thinking about php security, it seems like it would be a
good idea to have the setup script add an open_basedir line for each site
to the /etc/httpd/conf/vhosts/siteXX.include specific to each site.
Something like adding the line
php_admin_value open_basedir /home/.sites/16/site186/web:/tmp
to the
/etc/httpd/conf/vhosts/site186.include
Probably there are other directories that need to be added to the list. Are
there any PHP experts out there.
If I recall corrently on the PHP site, they mentioned they are doing away
with Safe Mode for in the future.
So restricting a site to its own directory would make sense.
----
Ken Marcus
Precision Web Hosting, Inc.
http://www.precisionweb.net