|
|
Posted by Willem Bogaerts on 05/02/07 07:29
> I'm trying to disable safe mode from my php installation. First
> because this functionality will be removed in PHP6, and because it's
> very restrictive and it's giving me headaches when configuring
> frameworks and other applications. Moreover, it's said on the php
> website that the safe mode solution is not a good thing... I'm looking
> for a tutorial which indicates what to configure on a server in order
> to have a secured installation of PHP, but without safe mode. I can't
> find it...
If you see the documentation of safe mode, you see it starts by saying
this really should be done on the server itself. However, this is
OS-specific, so it is not easy to give any details without knowing the
OS that will run the page.
In general, the web server itself will run as a user that is known to
the OS. This user should be given enough rights to run the site, but too
little rights to do more harm to the system. It mainly comes down to
rights management. The rights can (and should!) be set correctly on the
OS, but can (and should!) be given in the web server as well for the
site users.
One approach is to have a directory for your site that is accessible to
the web server process on OS-level, with a subdirectory in it that is
served, and therefore publicly accessible (called the web root, usually
"htdocs" or "www"). Deny directory browsing and set an index page on the
web server level. Put your library php files outside the web root, so
they can only be called from php, but never directly from a web browser.
Best regards,
--
Willem Bogaerts
Application smith
Kratz B.V.
http://www.kratz.nl/
Navigation:
[Reply to this message]
|