where is the security in PHP 5.4 by removing safe_

2020-02-12 06:10发布

问题:

I've got a sticky question in my mind: safe_mode has removed in PHP 5.4, so what is the security in this removal?

Does it mean that any application can execute any program?

What technique is used for this purpose to prevent such violent actions?

回答1:

This article Will explain you why safe_mode has never made a single bit of sense and only provides you a false sense of security.



回答2:

safe_mode was trying to solve a security problem with the wrong tool. Since shared webhosts often host thousands of websites on one server, safe_mode was a convienent (and entirely inappropriate) method to restrict the damage one could do with PHP.

It was an illusion more than anything else. Though PHP may have been protected with safe_mode, what about other languages like Python and Ruby? The proper method is to use default linux file permissions and modules like suPHP which run PHP as restricted users.