Disable safe mode without loss of security ?

**Willem Bogaerts** · May 2 '07, 07:35 AM

Re: Disable safe mode without loss of security ?

I'm trying to disable safe mode from my php installation. First

because this functionality will be removed in PHP6, and because it's
very restrictive and it's giving me headaches when configuring
frameworks and other applications. Moreover, it's said on the php
website that the safe mode solution is not a good thing... I'm looking
for a tutorial which indicates what to configure on a server in order
to have a secured installation of PHP, but without safe mode. I can't
find it...

If you see the documentation of safe mode, you see it starts by saying
this really should be done on the server itself. However, this is
OS-specific, so it is not easy to give any details without knowing the
OS that will run the page.

In general, the web server itself will run as a user that is known to
the OS. This user should be given enough rights to run the site, but too
little rights to do more harm to the system. It mainly comes down to
rights management. The rights can (and should!) be set correctly on the
OS, but can (and should!) be given in the web server as well for the
site users.

One approach is to have a directory for your site that is accessible to
the web server process on OS-level, with a subdirectory in it that is
served, and therefore publicly accessible (called the web root, usually
"htdocs" or "www"). Deny directory browsing and set an index page on the
web server level. Put your library php files outside the web root, so
they can only be called from php, but never directly from a web browser.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.

KRATZ – Business Solutions

http://www.kratz.nl/

Disable safe mode without loss of security ?

Disable safe mode without loss of security ?

Comment