Serious Safe Mode Discussion

mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Mon, 2004-12-13 20:34
 
RwD
RwD's picture

Joined: 2005-01-09
Posts: 383
Posted: Mon, 2005-01-10 14:34

Just an idea after not reading this thread:

Can you not implemement safe-mode support as a module? Only thing you need to check for is if safe-mode is enabled and if the module for that is there. you should be able to code for that. I read about the things you can't do when in safemode, but making a module that works around that would keep gallery2 being a good product but also making it run way more servers then before making it a more used system. (I don't know if you aim for wide use, but safe-mode rules out a lot of users who will go for something else (I would if I wasn't able to set up my own server (haven't gotten one though so safe-mode is pain in but)))

 
MartinWelen

Joined: 2005-01-15
Posts: 1
Posted: Sat, 2005-01-15 23:32

Does anyone have a link to a page explaining why safe_mode is a stupid thing?

My ISP desperatly klings on to the idea that it is for security reasons, and won't budge.

 
h0bbel
h0bbel's picture

Joined: 2002-07-28
Posts: 13451
Posted: Sat, 2005-01-15 23:46

MartinWelen, http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=67

This might have been mentioned earlier in this thread though.

 
Einstein
Einstein's picture

Joined: 2003-10-13
Posts: 105
Posted: Sun, 2005-01-16 02:03

Mostly that text didn't have much to do with safe mode.

 
RwD
RwD's picture

Joined: 2005-01-09
Posts: 383
Posted: Thu, 2005-01-20 09:14

It shows you don't need safe mode. Safe mode isn't a stupid thing, but it is like a patch for a problem rather then a real solution (or so I am told, I have no real knowledge on the setup of servers)

 
trader

Joined: 2002-09-15
Posts: 15
Posted: Wed, 2005-07-20 08:09

I want to get gallery (1) working with safe mode on.

Reading the various docs, I think it should be possible doing the following?

- I use netpbm and put the binaries into a /bin situated one level above /httpddocs
- chown all gallery files to apache user
- chown the binaries to apache user
- safe_mode_exec_dir set to this /bin in the vhosts file
- create /tmp one level above /httpddocs
- chown /tmp to apache user
- phpupload_dir set to the /tmp in the vhosts file
- 2 additional openbasedirs for our /tmp and /bin

comments?

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Wed, 2005-07-20 08:52

i guess that could work. but isn't it a little pointless using safe mode with such a setup?
and isn't it a little bit pointless using safe mode if you have the choice to turn it off?

my recommendation for secure shared webhosting is still:
php-fastcgi + suExec (+userdir + apache2). if it isn't shared webhosting, then using safe mode is pointless.

 
trader

Joined: 2002-09-15
Posts: 15
Posted: Wed, 2005-07-20 09:07

It is a shared environment.

There are other scripts than gallery there (phpBB2, Postnuke, etc.).

cgi is disabled - I need a secure server - I have already been hacked 3 times.
I made /tmp noexec, installed mod security, restricted a lot of system tools to root.

I have also been thinking about fastcgi. Still exploring the implications for Plesk 7.5.3, which I use to manage the server.
Using fastcgi would make safemode run without problems right?

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Wed, 2005-07-20 09:18

using fastcgi (+ suExce) would work with safe mode, but my point is that fastcgi + suexec is secure enough to not need the silly safe mode at all.

 
RwD
RwD's picture

Joined: 2005-01-09
Posts: 383
Posted: Thu, 2005-09-01 10:16

I was wondering if you meet your goals by not supporting safe-mode enabled servers.

Portable
G2 will work on any PHP platform and support a wide range of data processors (eg, image toolkits) and all the popular database solutions.

I don't think it is a matter of interpretation because any php platform having safe-mode enabled is still a php platform. Perhaps you could say that because of certain settings some functionalities might not work but that is not very nice. Aren't there lots of applications that are able to run with safe mode enabled? If so, then why can't an uber-app like gallery2?

Anyway, now you are closing in on the release of gallery2 I think you can give us a clue if someone here is going to make a work around for safe mode?

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Thu, 2005-09-01 14:23

the reasons why exactly G2 can't support safe mode on are in this thread.
there are some ideas about how we could work around some of the issues, but not for all.
a G2 light or G2 with some disabled functions could be the way to go, but it's a larger task.

 
brasileira

Joined: 2005-09-06
Posts: 9
Posted: Mon, 2005-09-12 09:49

hello...
I am having a problem with the safemode thing also with SMF forum and a guy said this:

"If you're under an Apache environment that has this option enabled, but you're on shared hosting so have no access to php.ini, you can unset this value for your own site by placing the following in an .htaccess file in the root:

php_flag register_globals 0


The ini_set() function actually accomplishes nothing here, since the variables will have already been created by the time the script processes the ini file change.

And since this is the security chapter, just as a side note, another thing that's helpful to put into your .htaccess is:

<Files ".ht*">
deny from all
</Files>

That way no one can load .htaccess in their browser and have a peek at its contents."

What do you guys think about this? ... And how can one do this?
I really wouldn´t like to change server after all the work I had to install my forum and Mambo (They were very helpfull than) :)

 
davil

Joined: 2005-09-16
Posts: 1
Posted: Fri, 2005-09-16 20:07

Just to add some flavour to this discussion:
I wanted to set up an image gallery these days. I really would have liked to use G2, but my web provider has recently activated safe_mode and I can't switch my web host (since they are rather good altogether), neither do I have the time to do some funny patching in the codes (which wouldn't be that big problem since I'm an PHP applications developer myself).

Sum: I chose to use Coppermine, which works fine with safe_mode enabled.

I have been into OS development for some years (contributed some mods to phpBB for example) and I know how hard it is to find the right medium between your own imagination about how things should be on one hand and the user requirements on the other hand.

But in the end there is (in most cases) one big decision: support maximum code quality and stylishness (based on your own standards) or reach a maximum amount of users. Of course there are ways inbetween, but altogether this is the big step many projects have to take.
I remember times when some PHP applications wouldn't work without magic_quotes or even register_globals set to ON. Thank gods these applications are extinct now, but always remember that times and requirements change. What if applications that require safe_mode=off are next to be eradicated?

Always keep in mind that a project needs some user base to be successful and _stay_ so over some years. Don't give away the possibility to grow and establish by knocking out users out of sheer style reasons. phpBB wouldn't be where it is now if it didn't run on nearly any web host.

Fact is: many web hosts out there have safe_mode turned on. Even good and expensive ones. Telling all those users that they do something wrong in that patronizing way lacks style IMHO.

My recommendation: keep the principle (safe_mode=off) as it is, but wrap all necessary functions into some more or less ugly wrappers. Then create a "safe_mode hacks module" and include it in the default packages. I personally would have preferred an ugly (but nevertheless secure) FTP-hack in G2 over using Coppermine. Let the users decide what they want and you will have more and happier users!

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Fri, 2005-09-16 20:25

brasileira: nonsense. you can't change safe mode on to off with .htaccess.

davil: there are a lot of great providers which set safe mode off, because they understand that's it tries to solve the problem on the wrong level. just switch the provider.
fact is, that we already have the largest user base among all gallery software products with Gallery 1.x and it also requires safe mode off. Soon most will have switched to g2. and since users want g2, providers will understand what to do, when users start switching to providers that offer safe mode off.
but yes, since you read this thread you know that we not categorically deny looking into a php safe mode enabled compliant G2. it's just a low priority task compared to some of the other 500+ requests we have.
i'd find it quite cool if we could make that happen, but we all have only a certain amount of time that we can spend on working for g2 a week.

 
peh

Joined: 2002-11-24
Posts: 15
Posted: Sat, 2005-11-05 15:11

If you need a host that allows you to turn on/off safe mode yourself.... I just signed with www.servage.net and you can host up to 25 domains and for each you can change safe mode settings yourself... so not depending of the host.

I installed G2 without any problems at all... and they just charge 7.50 Euro / month for 7500MB...

Incidently, if you sign up with them you can use this link http://www.servage.net/?coupon=CUST13816 or manually
enter the coupon code CUST13816 then you will get an extra 500Mb space... and so will I.. :-)

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Sat, 2005-11-05 17:42

uh, nice ad. we have a separate forum for such things.

 
sisp

Joined: 2005-11-06
Posts: 8
Posted: Sun, 2005-11-06 18:48

I am an ISP / ASP in the United States. We've been around since 1994 and have several thousand customers hosting sites from all around the world, handling all sorts of applications. I'm also a programmer that has received "Editor's Choice" in PC Magazine for my work, so I know about writing solid software and making it commercially marketable and secure.

If a client wants to co-lo their own server on our network, that's the ONLY way they would be able to operate PHP in non-Safe_Mode. We refuse to disable safe mode. It is 100% bad news for everybody: users, developers and administrators. We are more like most ISPs than unlike them.

I don't want to be redundant and reiterate what others have said here about how dangerous and foolish it is to run PHP in non-safe mode. Even if the program design is such that this type of functionality is needed, others have also outlined ways in which this can be worked around. It's even more ironic that as I visit the site, there's an update to the program which fixes an exploitation allowing file contents to be viewed. With safe mode enabled, the extent to which that bug could be exploited would be limited to the application itself; with safe mode turned off, the ENTIRE SERVER AND ALL USER ACCOUNTS AND DATA is totally compromised. This is UNACCEPTABLE.

We've been looking for some Gallery software to employ for some time, and I'm sure you guys have spent a lot of time and selfless energy making your product as best you think it can be, but I have to say, as a fellow programmer, I'm dismayed at how you casually write off the importance of making your application compatible with safe mode, and how you distract others by saying, "Well, if you use CGI scripts, they can bypass safe mode-type restrictions so what's the point?" The point is, either you care about the security and integrity of the server, the application and the users' data, or you do not.

I honestly do not mean any disresepct, but any programmer who does not value the importance of security and specifically the protections offered under safe mode (as well as register globals=off), then I have to have some suspicion of their experience and capability to write quality applications.

I understand that there may be some features of the application that may need safe mode-disabled features, but to not have that as an option (disable those safe mode-required features) is irresponsible IMO.

If you want to be taken seriously in this community, you cannot ignore this issue. I'd really like to consider using your software, but your lack of regard for some fundamentally basic security issues is profoundly disconcerting.

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Sun, 2005-11-06 19:03
Quote:
If a client wants to co-lo their own server on our network, that's the ONLY way they would be able to operate PHP in non-Safe_Mode. We refuse to disable safe mode. It is 100% bad news for everybody: users, developers and administrators. We are more like most ISPs than unlike them.

reiterating myself...
Use apache2 + PHP-fastcgi + suexec + chroot jail and you'll have a shared webhosting solution which is very secure.

@recent exploit: open_basedir would lead to about the same security as safe_mode for this issue.

Quote:
The point is, either you care about the security and integrity of the server, the application and the users' data, or you do not.

again, users with dedicated hosting and users with (fast)cgi+suexec+chroot jail are on the safe side.
we found safe_mode to have too many restrictions to be practical and safe_mode being a security measure on the wrong level is a wildly discussed topic, not just here on gallery.menalto.com.
solve the security problem with suexec + chroot jail. php-fastcgi hasn't the drawback of php-cgi being slow / driving the CPU load up, it just requires a little more RAM.

@register globals = off: was never an issue in G2

Quote:
If you want to be taken seriously in this community, you cannot ignore this issue. I'd really like to consider using your software, but your lack of regard for some fundamentally basic security issues is profoundly disconcerting.

what community would that be? ISPs that ignore alternatives to PHP safe_mode? security is not an issue with G2 if the webserver is configured properly.

that being said, we welcome any patches to G2 which allow the operation in a safe_mode enabled environment. we plan to offer sooner or later a light version of G2, maybe just a G2 with some features disabled, which will work with safe_mode. but we are very busy and are working on other issues and features at the moment.

 
sisp

Joined: 2005-11-06
Posts: 8
Posted: Sun, 2005-11-06 19:06

By the way, you guys that think this is an issue of finding the right ISP that has no responsible security policy a solution, you should consider that any ISP which allows such insecure systems to also be compromising your security. The guy next to you on the server may have an earlier version of the software and a back door open to all of your files, the config data, passwords and everything you have stored there.

This is not merely an issue of a badly designed program that might have a bug in it. It's an issue of a poorly designed program that, as a result of its flaws, compromises the integrity of every other application running on that server, all user accounts and passwords, and all other software and data.

If you have a dedicated server and all it's doing is hosting this application, that might warrant not running in safe mode. Other than that circumstance, it really is bad news.

Guys, what were you thinking?? Do you understand the pressure you put on all your users and administrators? Every time a bug is discovered in your software, you put tremendous pressure on all your clients to immediately upgrade or else face potentially dire consequences. Since the app is in PHP, the source code is visible to all, and if nefarious people like spammers know you don't require safe mode, they have everything they need, including big-time motivation, to hack into all your customers' installations to achieve tremendous amounts of control over the entire server. An application of this nature is something that black hat hackers will specifically probe for, because they know they can 0wn the machine its running on if they can find a bug.

 
sisp

Joined: 2005-11-06
Posts: 8
Posted: Sun, 2005-11-06 19:16
valiant wrote:
Quote:
If a client wants to co-lo their own server on our network, that's the ONLY way they would be able to operate PHP in non-Safe_Mode. We refuse to disable safe mode. It is 100% bad news for everybody: users, developers and administrators. We are more like most ISPs than unlike them.

reiterating myself...
Use apache2 + PHP-fastcgi + suexec + chroot jail and you'll have a shared webhosting solution which is very secure.

Good suggestions. But this is like saying, "Hey, our car doesn't have an airbag, and yea, all the other cars nowadays have airbags, but it's no big deal if you wear a helmet and a thick padded suit while you drive. It's just as if our car did have an airbag."

It's still an excuse to compensate for flaws in the program design that compromise security. Of course there are work-arounds. But safe mode is not an insignificant setting, and that should be obvious when you consider that you'd need a half-dozen other systems installed to emulate a similarly secure environment!

Even the developers of PHP acknowledge (as paraphrased in this thread) that operating in non-safe-mode is just plain foolish. You cannot get any respectable programmer to not agree on this point.

I understand you all have to defend your application, but let's be honest. If your app ran in safe mode, you would be on my side of the argument in a nanosecond, and you know it. You know it's bad news that the program needs safe mode disabled. You know that any little bug discovered becomes exponentially more dangerous because of this requirement.

 
sisp

Joined: 2005-11-06
Posts: 8
Posted: Sun, 2005-11-06 19:27
valiant wrote:
@register globals = off: was never an issue in G2

OMG, are you telling me that G1 reqires register globals to be enabled?

Seriously? Is the application in that bad a shape that it can't read the CGI data from their proper array names?

If this is the case, let me just say this. Congrats to the developers here, who are apparently just getting into programming and still learning, and it's really great that such a pet project has gotten so much attention. The site is very slick and professional. You'd never know.

Keep up the good work, but please, read up on security and rewrite the software so that it operates with the industry standard security measures in place. You can fix these problems in as much time as it takes to make up excuses for why they should be ignored, and you get the benefit of not being looked at as skript kiddi3s by professionals in the industry.

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Sun, 2005-11-06 19:39
Quote:
This is not merely an issue of a badly designed program that might have a bug in it. It's an issue of a poorly designed program that, as a result of its flaws, compromises the integrity of every other application running on that server, all user accounts and passwords, and all other software and data.

G2 badly designed? i'm not the author of g2 but i'm amazed by its design. i guess you're just referring to the "flaw" of not to work with safe_mode on. and that was a design decision after evaluating alternatives.

Quote:
It's still an excuse to compensate for flaws in the program design that compromise security. Of course there are work-arounds. But safe mode is not an insignificant setting, and that should be obvious when you consider that you'd need a half-dozen other systems installed to emulate a similarly secure environment!

safe_mode is also a work around. among the alternatives, i'd always use fastcgi+suexec+chroot jail for shared webhosting.

please submit a safe_mode on patch for G2, that would be constructive criticism.

Quote:
Even the developers of PHP acknowledge (as paraphrased in this thread) that operating in non-safe-mode is just plain foolish. You cannot get any respectable programmer to not agree on this point.

i agree that there are lots of mod_php (non suexec), non-safe_mode g2 installs out there and they risk to lose their album data due to other scripts by other users on the same server and they risk to be a threat to other users on the same server if there was a really bad exploit for g2. and i don't like that fact.
i myself am hosted on a shared webhosting plan offering cgi, suxec for few money. and i recommend that to everyone. i strongly believe that safe_mode is just an alternative and depending on what applications you'd like to run, you should choose a webhoster that can run in safe_mode off.

Quote:
I understand you all have to defend your application, but let's be honest. If your app ran in safe mode, you would be on my side of the argument in a nanosecond, and you know it. You know it's bad news that the program needs safe mode disabled. You know that any little bug discovered becomes exponentially more dangerous because of this requirement.

we would like a G2 version that works with php safe_mode on, yes. but just because we would like to get rid of as many requirements as possible.
run G2 not without suexec and you're security concerns are null and void.

you as a programmer and ISP that is interested in hosting G2 installs could submit a php safe_mode patch for G2.
you as an ISP could switch to fastcgi+suexec+chroot jail and also be happy.
we as the developers of g2 could spend time investigating alternatives for all features and sublayers of G2 that require safe_mode on. but as i said, we're not that unsatisfied with the current situation concerning safe_mode that we'd prioritize it higher than our current tasks.

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Sun, 2005-11-06 19:46
sisp wrote:
Quote:
@register globals = off: was never an issue in G2

OMG, are you telling me that G1 reqires register globals to be enabled?

Seriously? Is the application in that bad a shape that it can't read the CGI data from their proper array names?

If this is the case, let me just say this. Congrats to the developers here, who are apparently just getting into programming and still learning, and it's really great that such a pet project has gotten so much attention. The site is very slick and professional. You'd never know.

Keep up the good work, but please, read up on security and rewrite the software so that it operates with the industry standard security measures in place. You can fix these problems in as much time as it takes to make up excuses for why they should be ignored, and you get the benefit of not being looked at as skript kiddi3s by professionals in the industry.

nope, i said that as a specialist for g2 and since you're posting in the g2 forums. i've never worked on g1. just checked and g1 doesn't require register globals. check your facts and stop discussing on that level. it would be easy to attack you or your skills personally, but let's stick to the topic and discuss facts.

g2 is well designed. safe_mode is just an alternative. and you should either submit a safe_mode on patch for g2 or add new input to the discussion. everything else won't help at this point.

 
sisp

Joined: 2005-11-06
Posts: 8
Posted: Sun, 2005-11-06 19:52

I appreciate where you're coming from.

Unfortunately, while I can see the value of trying to hack the code to operate under safe mode, the reason I came here was to avoid having to do it myself.

In any case, as I said before, it is impressive how far you all have come, and it seems like the product is well supported and feature laden. I look forward to seeing how it evolves in the future.

As for the "work arounds", one thing you forget, is the more disparate systems you have to implement, such as suexec, fastcgi, chroot, etc., the more complicated the install becomes, the more things you have to monitor for vulnerabilities, the more areas that can fail, etc. The first rule of security is to keep things simple, and the less windows & doors you have in your house, the less entry points.

Safe mode is not the be-all end-all of php security. We know that, but it is a substantive part of a secure php-based system.

 
fryfrog

Joined: 2002-10-30
Posts: 3236
Posted: Sun, 2005-11-06 20:17
sisp wrote:
Unfortunately, while I can see the value of trying to hack the code to operate under safe mode, the reason I came here was to avoid having to do it myself.

Don't hack the code to make it work, come up with a valid functional alternative and design it in such a way that it can be patched into G2.

The big problem with safe mode really boils down to the external dependancies that G2 *has* to have. It uses external binaries to accomplish pretty much every "cool" thing G2 does. GD just sucks, its hard to get around. With safe mode on, thats just about the only thing anything can use. So no thumbs for videos from ffmpeg, no thumbs from RAW images, none for PDF files and none for future formats with some external tool. Pretty much only thumbs for jpg, bmp and perhaps one other popular format.

And I have to disagree with your view on safe mode as a "security". It is a crutch, used by inexperienced server admins to help them pretend their server is secure.

Scripts should not run as the main webserver user, and this goes for perl, php, asp or any other scripting language. The problem with safe mode in php is that its the *ONLY* one that offers this functionality. So you can't exploit php? Okay, switch to perl or what ever else you want, its simply using security through being slightly harder to get around. Real security comes from setting up your shared environment correctly. chroot and/or forcing all scripts to be run *as* the site's user is the only real security. Unless of course the *only* scripting language you offer is php, then safe mode is awsome. Of course, you might find your customers picking a provider that is intelligent enough to setup a properly secure web server.

You might try exploring Coppermine, I believe that if you have GD (and don't mind not using ImageMagick) it will work just dandy in safe mode. It is probably one of the biggest opensource competitors, and its a good one.

 
fryfrog

Joined: 2002-10-30
Posts: 3236
Posted: Sun, 2005-11-06 21:24

And this is the post where I pick apart your posts.

sisp wrote:
I am an ISP / ASP in the United States. We've been around since 1994 and have several thousand customers hosting sites from all around the world, handling all sorts of applications. I'm also a programmer that has received "Editor's Choice" in PC Magazine for my work, so I know about writing solid software and making it commercially marketable and secure.

Wow, several thousand customers. Search google for something like "powered by gallery" and you'll turn up possibly hundred's of thousands of sites using it, from around the world. And your a programmer? What did you write? I'm interested, is it closed source? There were never *any* security issues found in it? "Editor's Choice"? I think Gallery has won some "awards" too, but I'm to lazy to figure out what they were, it really doesn't mean a whole lot though.

sisp wrote:
If a client wants to co-lo their own server on our network, that's the ONLY way they would be able to operate PHP in non-Safe_Mode. We refuse to disable safe mode. It is 100% bad news for everybody: users, developers and administrators. We are more like most ISPs than unlike them.

I once worked for an ASP like this. You know why *they* did it (and most other providers, imho)? To sell more dedicated servers. And it is only 100% bad news for an ASP that doesn't know how to setup a secure shared hosting server. A little more work? Maybe. But you sure as heck provide a better product to your customers.

sisp wrote:
I don't want to be redundant and reiterate what others have said here about how dangerous and foolish it is to run PHP in non-safe mode. Even if the program design is such that this type of functionality is needed, others have also outlined ways in which this can be worked around. It's even more ironic that as I visit the site, there's an update to the program which fixes an exploitation allowing file contents to be viewed. With safe mode enabled, the extent to which that bug could be exploited would be limited to the application itself; with safe mode turned off, the ENTIRE SERVER AND ALL USER ACCOUNTS AND DATA is totally compromised. This is UNACCEPTABLE.

You are being redundant, have you read this whole thread? Did you bring up *anything* new? Have you read some of the info on why safe mode itself is foolish? I've not seen any valid ways of making gallery functional with safe mode enabled, why don't you point them out. Yes, its very ironic that you find a security vulnerability. Ironic becuase on any server using chroot and/or proper permissions, the "exploit" doesn't allow anything. If any server you setup allows "the ENTIRE SERVER AND ALL USER ACCOUNTS AND DATA" to be compromised *just* because safe mode is off, you have done a very very bad job of setting up a server. You should hire someone who knows how to do it properly and learn from them.

sisp wrote:
We've been looking for some Gallery software to employ for some time, and I'm sure you guys have spent a lot of time and selfless energy making your product as best you think it can be, but I have to say, as a fellow programmer, I'm dismayed at how you casually write off the importance of making your application compatible with safe mode, and how you distract others by saying, "Well, if you use CGI scripts, they can bypass safe mode-type restrictions so what's the point?" The point is, either you care about the security and integrity of the server, the application and the users' data, or you do not.

Does an entire thread that is STICKY seem "casual"? It was discussed in depth and no one who *wanted* safe mode could step forward and help the team accomplish that goal. A bunch of people with demands and requirements, but no one to actually step up to the plate. Sound familiar? Of course, at least most of *those* people didn't step in and start insulting the team and the project. And distract people? If you tell me that your window absolutly has to have double steel bars and a keyed lock, then I point out that your FRONT DOOR IS OPEN... is that a distraction? No, its pointing out the obvious to people who just don't notice that their door has no lock on it. The point is, its totally obvious we care about security. Did you notice the security fix? So its obvious that security is a huge concern in G2. Maybe what you don't understand is that safe mode does NOT translate to "secure" in any shape or form. Have you even installed or tried out G2? Reviewed any of the code? I doubt it.

sisp wrote:
I honestly do not mean any disresepct, but any programmer who does not value the importance of security and specifically the protections offered under safe mode (as well as register globals=off), then I have to have some suspicion of their experience and capability to write quality applications.

I understand that there may be some features of the application that may need safe mode-disabled features, but to not have that as an option (disable those safe mode-required features) is irresponsible IMO.

If you want to be taken seriously in this community, you cannot ignore this issue. I'd really like to consider using your software, but your lack of regard for some fundamentally basic security issues is profoundly disconcerting.

Obviously you do mean to disrespect, you posts are full of insults and offer no advice or solutions. Just insults. Great job. Its already been covered and proven that security is a major concern for G2. What you fail to prove is that safe mode is even a worth while security precaution. I don't think you need to doubt the experience of the devs, you could review the code and see how methodical and careful they are with G2.

sisp wrote:
By the way, you guys that think this is an issue of finding the right ISP that has no responsible security policy a solution, you should consider that any ISP which allows such insecure systems to also be compromising your security. The guy next to you on the server may have an earlier version of the software and a back door open to all of your files, the config data, passwords and everything you have stored there.

The right ISP is more secure with *or* without safe mode than anything you have discussed. You obviously have no grasp on how a server should be setup, in theory or practice. A chroot'ed webster eliminates the possiblity of *ANYONE* causing problems with any other part of the server, and running scripts as the user of the site prevents them from accessing anything which has proper permissions. Combined, this makes a double wall that is near impossible to break. This is proper security. Want to throw in safe mode on top of it? All you do is make things harder on users that care and no safer for users that don't. If you think that safe mode protects your server from allowing access to other sites, you are quite frankly nieve. Sure, it may stop PHP. But it doesn't stop anything else. Either you believe in security and you setup your server right, or you don't and simply use safe mode. See? I can come up with stupid phrases that aren't true but sound menecing.

sisp wrote:
This is not merely an issue of a badly designed program that might have a bug in it. It's an issue of a poorly designed program that, as a result of its flaws, compromises the integrity of every other application running on that server, all user accounts and passwords, and all other software and data.

If you have a dedicated server and all it's doing is hosting this application, that might warrant not running in safe mode. Other than that circumstance, it really is bad news.

You are dead on here. On a poorly secured server with a badly designed web application, you are opening yourself to a world of hurt. I'd never host on a server like this, and a poorly secured server with safe mode *on* is still a poorly secured server. Even on a dedicated server its bad news, you could loose precious data and uptime. Security is important, on a server level and on an application level. I'd say thats why G2 takes security on the application level *very* importantly and leaves the server security up to the competent hosts.

sisp wrote:
Guys, what were you thinking?? Do you understand the pressure you put on all your users and administrators? Every time a bug is discovered in your software, you put tremendous pressure on all your clients to immediately upgrade or else face potentially dire consequences. Since the app is in PHP, the source code is visible to all, and if nefarious people like spammers know you don't require safe mode, they have everything they need, including big-time motivation, to hack into all your customers' installations to achieve tremendous amounts of control over the entire server. An application of this nature is something that black hat hackers will specifically probe for, because they know they can 0wn the machine its running on if they can find a bug.

Even with safe mode on, when a security flaw is found, data can still be explosed, exploited and/or manipulated. On a poorly secured server, it *might* stop them from causing issues with other people... but it could just as possibly allow the hacker to install a cgi script and use *that* to walk over to all the other customers. Since this poorly secured server obviously wasn't setup properly using chroot or at the very least, good permissions... they are able to still get around safe mode. Security or speed bump? You decide.

I've seen this problem too, most frequently with phpbb and/or postnuke (because they are more popular than G1/G2), but older versions of G1 definatly has some security flaws. You could check your logs for referers from search engines where they were searching for specific versions to find you. Even with safe mode, nafarious people (not just spammers!) can seek out and abuse your site. Safe mode doesn't stop it.

sisp wrote:
Good suggestions. But this is like saying, "Hey, our car doesn't have an airbag, and yea, all the other cars nowadays have airbags, but it's no big deal if you wear a helmet and a thick padded suit while you drive. It's just as if our car did have an airbag."

No, its nothing like that at all. You have simply failed to grasp the underlying issue. Using your car and airbag analogy, its more like saying "Hey, YOUR car only has a passenger side airbag. We suggest you install a driver side airbag too. Some side curtain and even rear seat ones would be a good idea too... but we will still put you in a helmet and padded suit to be safe." In this case, the passenger side airbag is safe mode. Driver side airbag could be considered permissions, side curtain airbags perhaps chroot. I dunno what the rear seat airbags could represent, perhaps a competent sys admin?

sisp wrote:
It's still an excuse to compensate for flaws in the program design that compromise security. Of course there are work-arounds. But safe mode is not an insignificant setting, and that should be obvious when you consider that you'd need a half-dozen other systems installed to emulate a similarly secure environment!

Even the developers of PHP acknowledge (as paraphrased in this thread) that operating in non-safe-mode is just plain foolish. You cannot get any respectable programmer to not agree on this point.

It is no excuse, G2 would not be able to do 80% of what it does with safe mode enabled. It is as simple as that. The choices are limited functionality with safe mode or full functionality w/o safe mode. Thats it. Want to help us enable that limited functionality? Join the project and help. Perhaps donate a huge chunk of change and fund a developer to start caring about your issue. Until then, make your suggestion and stop being an asshole. There is even a feature vote page, and not only is safe mode no where near the top... I'm not even sure if its something anyone has requested in the RFE system. So double check, if it isn't there... add the request. If it is, vote for it. Whats funny is that I got the impression that the PHP developers acknowledge that safe mode is foolish, and I already know plenty of respectable programmers that agree with *that*.

bharat wrote:
While I was there, I wound up sitting at a table with Rasmus Lerdorf, the guy who founded PHP. He's a Gallery user so while we talked about various things, we eventually got around to talking about safe mode, since it's one of the biggest thorns in the side of applications like Gallery. About safe mode Rasmus says "the biggest problem with safe mode is that people use it." And he's right. Safe mode is fundamentally flawed because it's providing security at the application level, instead of at the operating system level.

Do you see the part that says "the biggest problem with safe mode is that people use it"? Doesn't sound like the guy who FOUNDED PHP thinks highly of safe mode, does it?

sisp wrote:
I understand you all have to defend your application, but let's be honest. If your app ran in safe mode, you would be on my side of the argument in a nanosecond, and you know it. You know it's bad news that the program needs safe mode disabled. You know that any little bug discovered becomes exponentially more dangerous because of this requirement.

Obviously what we don't understand is YOUR need to attack the programmers, software, users, admins and supporters. If our app ran in safe mode, none of us would use it. So we still wouldn't be on your side, we would just be using something else. Any little bug in G2 is only dangerious to servers where the sys admin doesn't have the brains to properly set it up.

sisp wrote:
OMG, are you telling me that G1 reqires register globals to be enabled?

Seriously? Is the application in that bad a shape that it can't read the CGI data from their proper array names?

If this is the case, let me just say this. Congrats to the developers here, who are apparently just getting into programming and still learning, and it's really great that such a pet project has gotten so much attention. The site is very slick and professional. You'd never know.

OMG are you telling me that you are such an asshole that you didn't install G1 or G2 before you started insulting us? G1 gives a big ol' warning if you install on a server with register globals on. I don't recall if it even lets you continue with the install in this case, but I won't make any promises because I haven't used it in a while. I've no clue on if G2 cares, but I suspect it does.

Way to insult an entire project w/o doing *any* background work of your own. Btw, the software you wrote sucks. And all your servers are easily owned. How do I know all this? I don't, I'm just saying it. Sound familiar?

sisp wrote:
Keep up the good work, but please, read up on security and rewrite the software so that it operates with the industry standard security measures in place. You can fix these problems in as much time as it takes to make up excuses for why they should be ignored, and you get the benefit of not being looked at as skript kiddi3s by professionals in the industry.

I'd take your own advice. Read up on security, then go out and study the industry. It might help you figure out what is "industry standard" and what is something that hosts latch on to as a security feature, but which ends up driving some customers away. If these problems could be fixed in as much time as it takes to make up excuses, they would have been. Come on, do you *really* think G2 doesn't support safe mode because they think its a silly security measure? No, its because it *IS NOT* easy to work around for this application. Think about what it does and how, and you'll realize this. If its so easy, do it yourself (and do it up to G2's coding standards, if you even can) and submit it as a patch. You know what? If you need help, we'll be there for you. You can get help doing it from the devs themselves via IRC or these forums. I bet even though they'll read this and think you are an ass, they'd still help you because they would *love* for G2 to work in some form (be it limited or fully function) in safe mode. I think you'd also be surprised to find that you are the first person who has thought of the G2 devs as "script kiddies".

sisp wrote:
I appreciate where you're coming from.

Unfortunately, while I can see the value of trying to hack the code to operate under safe mode, the reason I came here was to avoid having to do it myself.

In other words, all you can do is degrade and insult. You have no actual skill to provide, either in coding or securing your own server. Awsome!

sisp wrote:
In any case, as I said before, it is impressive how far you all have come, and it seems like the product is well supported and feature laden. I look forward to seeing how it evolves in the future.

Thanks, I think this is the nicest thing you've said. G2 does have a lot of features and is well supported. Unfortunatly, with out people like you who actually care strongly about safe mode, it will take a long time for it to be supported. What we need is a developer who feels strongly about safe mode and makes it work. Not a few people (this thread is only 2 pages long!) who wish it were included but can't actually offer any help what so ever.

sisp wrote:
As for the "work arounds", one thing you forget, is the more disparate systems you have to implement, such as suexec, fastcgi, chroot, etc., the more complicated the install becomes, the more things you have to monitor for vulnerabilities, the more areas that can fail, etc. The first rule of security is to keep things simple, and the less windows & doors you have in your house, the less entry points.

Safe mode is not the be-all end-all of php security. We know that, but it is a substantive part of a secure php-based system.

This is both true and untrue at the same time. Just saying that a server with more "stuff" on it is less secure is a stereotype, it can be true but it might not be true at the same time. Is running just apache more secure than running apache and iptables to help secure it? Is running apache, mysql, smtp and ftp less secure? What if you throw in some snort? What if you chroot jail all of those applications? There are no "rules" to security. Keeping things simple certainly isn't one of them. Its simpler to just run apache, but it sure ain't secure. Its simple to run wu-ftpd, but that sure isn't secure. Security is an all around approach. Adding more "things" can and WILL make you more secure if they are the right things. This means picking secure software, secure settings and when possible wrapping them in even more security!

You are right, safe mode is not the end all be all of php security. What you haven't come to realize yet though is that its not really a "substantive" part of it either. There are smarter, far more secure methods of securing PHP, that at the same time secure *everything* else.

This was a long post, and I was probably mean to you in parts of it. If you are offended, it doesn't really bother me because you offended me. My final suggestion is to simply put up or shut up. I'll be happy to see you post on another unrelated subject, and would even happily help you resolve any G2 issues you might have. I'd also be happy to see you work on getting G2 working in safe mode, because while it isn't the #1 requested feature... it is one of the recurring support issues in the forums. Our response now is to find a better host, but wouldn't it be great if we could say "hey, try the safe mode version and if you don't like the limitations, THEN find a better host!"
_________________________________
Support & Documentation || Donate to Gallery || My Website

 
fryfrog

Joined: 2002-10-30
Posts: 3236
Posted: Sun, 2005-11-06 22:05

I went and checked the feature vote and rfe section, and no one who cares about safe mode has cared enough to file an RFE. If you would truely like to see this feature in G2, add it by visiting http://sourceforge.net/tracker/?group_id=7130&atid=357130 and making a detailed RFE. Once you have done this, it should show up in the feature vote at http://gallery.menalto.com/sfvote/all and you can vote for it. Hopefully, everyone will want safe mode badly, vote for it and in doing so make it a much bigger priority for the developers. Of course, I might apply some negative votes to it just cause I can!

_________________________________
Support & Documentation || Donate to Gallery || My Website

 
bharat
bharat's picture

Joined: 2002-05-21
Posts: 7993
Posted: Sun, 2005-11-06 23:48

Don't mistake our lack of safe_mode support with a lax approach to security. We take security very seriously. But the type of problem that Gallery attempts to solve is incredibly difficult to do without being allowed a fair amount of discretion, including running executables for image manipulation and managing our own time limits. It is grossly unfair to us to assume that we've simply overlooked safe_mode and that there's a quick fix that we can make to support it.

Remember that our focus is to write the best, most full-featured Gallery product that we can because that is what our users want. Security is something that we developers care about, but even in today's climate it is barely a blip on the radar of 80% of our users. They want it fast, easy, with many features. They take it for granted that we'll give them a secure product. So if we rip out features because of safe mode, or make the install much harder, etc then they'll go use something else. In my experience with this situation, ISPs get mad at Gallery because their users are demanding that they turn off safe mode so that they can use it. I appreciate that this puts ISPs in a bad situation because they don't want to lose business, and they don't want to turn off safe mode because it is a convenient, but limited way for ISPs to guard against poorly written scripts.

As I've also mentioned in the past, we were not going to make safe mode support an integral aspect of the G2.0 release, but we would revisit the issues for future releases. So here are the issues that I outlined in my first post, with some additional details:

  • We can't use exec() limiting our toolkit support to GD which perpetually runs afoul of memory limits and doesn't support image rotation.
  • We can't maintain our own time limits, which means that PHP will cut off long operations in the middle which will eventually lead to very difficult to solve database integrity issues.
  • The webserver user must own the g2data directory in order for us to create subdirs under many common safe_mode configurations, which we do not have a solution for

It's not a long list; I'm probably leaving something off of this. Again, it is very easy to take a quick look at the product and criticize our lack of thought on this, but in order to really advance a convincing argument you'll have to help us come up with a real solution. I've spent several years trying to figure out ways around these issues and while I have some thoughts on how we could fix them, I don't have any solid solutions that will cover the 80% user base.

I will not personally be making a push to resolve this alone because I choose to prioritize the needs of our current userbase (which clearly does not include anybody who has the safe_mode restriction). However, I welcome and encourage anybody who has solid solutions for this problem to step up and help us solve it. If you meet us half way, we'll make it happen.

 
Keoeeit

Joined: 2005-11-09
Posts: 3
Posted: Wed, 2005-11-09 14:39

I realize that this is more of a philosophic discussion on this issue of "safe_mode or to not_safe_mode" rather than finding a cure, but I've really been trying to hunt for an answer to get this running on my server, one of the thousands that has local value set to ON, but master value set to OFF. My server allowed me to install a version of G1 from its built-in tools/toys to get started with.

Out of curiosity, I thought I'd go into the folder where G1 had been installed from their own system, to take a peek at the .htaccess code they used, and found this:

php_flag engine off
Action php-script /interpreters/php-script
AddHandler php-script .php .php4 .php3 .inc
php_value post_max_size 20971520
php_value upload_max_filesize 20971520
php_value magic_quotes_gpc off


Options  +FollowSymLinks    
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /photogallery/
RewriteRule ^([^\.\?/]+)/([0-9]+)$	/photogallery/view_photo.php?set_albumName=$1&index=$2	[QSA]
RewriteRule ^([^\.\?/]+)/([A-Za-z_0-9\-]+)$	/photogallery/view_photo.php?set_albumName=$1&id=$2	[QSA]
RewriteRule ^([^\.\?/]+)/$	/photogallery/$1	[R]
RewriteRule ^([^\.\?/]+)$	/photogallery/view_album.php?set_albumName=$1	[QSA]
</IfModule>

Now the interesting things is, if I post these lines of code in an .htaccess file for my G2 installation folder

php_flag engine off
Action php-script /interpreters/php-script
AddHandler php-script .php .php4 .php3 .inc
php_value magic_quotes_gpc off

it turns off my local safe_mode. GREAT! But then I get all sorts of new errors popping up and I can't even run the installer past the verification step.

I thought maybe if one of you smarter people looked at that code, you might see a simple way of turning off safe_mode for G2 for us that are stuck with providers who won't or don't even know how to change it. Don't tell me to edit my httpd.conf file. I ran into a problem in the past with over-riding upload limits for a PHPBB setup and found out that file doesn't even exist on my server (so I found an .htaccess work-around for that problem).

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Wed, 2005-11-09 15:12

just an explanation:

php_flag engine off
Action php-script /interpreters/php-script
AddHandler php-script .php .php4 .php3 .inc
php_value magic_quotes_gpc off

doesn't disable safe_mode. these instructions tell apache (the webserver) to use a php-cgi installtion which is installed in /interpreters/php-script instead of the normal (mod_)php. thus, it disabled safe_mode by using another php installation which is probably run under your user instead of the global webserver user.
so this specific solution only works for you and users on the same host as you are.
other users might have to upload php-cgi or it might not work at all for them.

to your question:
this will get really offtopic if we try to solve your problem here. please open a new topic in the g2 installation forum. also, provide the errors you're getting as well as the php.ini path (found in <?php phpinfo(); ?>) in the new topic.

 
Keoeeit

Joined: 2005-11-09
Posts: 3
Posted: Wed, 2005-11-09 21:50

Thanks for the explanation. I wasn't interested in finding a solution that is unique to my server. I thought there might be something in that code that would resolve the issue for anyone. When I went on a google hunt for the error messages I was getting, I must have gotten over 17,000 hits of identical pages of web-sites that ran the install/index.php, and just left them there, probably hoping someone will come up with a solution.

I hardly know a thing about PHP and Apache servers, etc. As you can easily tell. I just thought there might be something in that code that could provide a unique work-around for the thousands that want to install and run this software, but can't. (me included)

I doubt you are going to convince a hundred-thousand paranoid and less-educated web-hosts to turn off safe_mode for those that ask. Rewrite the software and make it compatible to everyone's needs. Isn't that the whole point of open-source? Think about it.

I'm now in search of some other Gallery software .... maybe there's something even better than this out there. If there is, I'll do my best to let those 17,000 people know what it is.

Thanks for the info, and sorry for the interruption.

 
bharat
bharat's picture

Joined: 2002-05-21
Posts: 7993
Posted: Wed, 2005-11-09 23:18
Keoeeit wrote:
Rewrite the software and make it compatible to everyone's needs. Isn't that the whole point of open-source? Think about it.

The point of open source is to make our years of work available to everybody so that they can do whatever they want with it. It's entirely free to you in every way that counts. The point of open source is that anybody can fix this problem. Unfortunately, as this thread (which has been going on for years) can attest, it would appear that the world expects us to fix this problem. But we don't see it as a problem, and until we do we're not going to dedicate our extremely limited time to it. Instead we give this code away for free so that any of those 17,000 people could change it. Any of the ISPS who complain could change it. Any of the 80,000 members of this website could change it.

Why won't somebody else step up and commit some time to this? Why must everybody demand that we do yet more work for them instead?

You could construe the tone of this comment to be arrogant and condescending. I hope that you don't. What I'm trying to express is the fact that I personally have donated many thousands of hours of my life to providing a free, high quality product to the world. I do not expect a dime in return. This is pure philanthropy. There are many others just like me who have spent just as much time on this. Because we are the ones who are giving so generously of our time, we get to decide where spend it. Anybody who is willing to step up and donate some time has an equal say in the direction of the project and the product. That is the power of open source.

I'll reiterate my prior offer: even though this is not a critical issue for us we will dedicate more of our time to helping anybody who is willing to work on it with us to resolve it to everybody's satisfaction. In my last post I outlined the issues that need to be solved.

Who will step up?

 
dmolavi
dmolavi's picture

Joined: 2002-12-05
Posts: 573
Posted: Thu, 2005-11-10 16:36

sisp-
As someone who talks like they are a walking encyclopedia of programming and the related security issues, please step into #gallery on irc.freenode.net and share your expertise with us, instead of just throwing insults and criticisms with no alternative or offering of help to work towards a viable, technically sound solution.

I started out as a normal Gallery user 3 years ago. Instead of criticizing and insulting the developers, who give freely of their time for this project, I stepped in and provided patches and fixes as I came across them. After spending time in #gallery, I realized what a great team Gallery has behind it. I'm sure you would too if you spent time there, and realized that we do take security very seriously (the first exploit in G2 was fixed in less than a day and released).

The types of comments that you provide to us are the ones that, while they generate a lot of traffic here in the forums, generate zero traffic on IRC or on the core developer mailing list. Why? Because you only bitch and moan without providing a solution. If you had stepped up to the plate in your first post and said "I've got a solution here..." then you would have gotten a much more positive response, and your solution might very well be in the developer CVS right now.

[img]http://www.nukedgallery.net/signature.jpg[/img]

 
Keoeeit

Joined: 2005-11-09
Posts: 3
Posted: Sun, 2005-11-13 07:39

I was just about to offer the webspace that I use that has safe-mode enabled on it for a testing grounds for probable solutions. But then I realized when 2 posts in a row seemed to come from holier-than-thou snot-nosed techno-geeks, I reconsidered. I can now see why nobody wants to help any of you with your problems.

I've found better software.

Thanks anway!

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Sun, 2005-11-13 14:25

we have our own testing machines and enabling / disabling safe_mode is just a minor configuration change in php.ini. thus, there's no need for test servers. but thanks for the offer.

 
fryfrog

Joined: 2002-10-30
Posts: 3236
Posted: Sun, 2005-11-13 18:22
Keoeeit wrote:
I've found better software.

I'd be interested in knowing what software you picked, it would give us something to point people stuck with safe mode a good alternative besides switching to a host that doesn't use safe mode. And as valiant said, its not a testing environment that is lacking. It is a lack of developers who want to spend their time adapting G2 to work in safe_mode. So if you could have done that, its a shame to see you leave.
_________________________________
Support & Documentation || Donate to Gallery || My Website

 
dmolavi
dmolavi's picture

Joined: 2002-12-05
Posts: 573
Posted: Mon, 2005-12-05 19:09

Here's a nice little tidbit from the PHP Developer's Meeting that took place on 11 and 12 November 2005:

PHP Developers wrote:
Issue: safe_mode is a feature in PHP that checks whether files to be opened or included have the same GID/UID as the starting script. This can cause many problems, for example if an application generates a cache file, it will do this with the user ID that belongs to the web server (usually "nobody"). As an application is usually uploaded by the user belonging to the web account (say "client") the scripts can no longer open the files that the application. The same problems happen when for example an application generates an image.

Discussion: As safe_mode is a name that gives the wrong signals as making PHP safe, we all agreed that we should remove this function. It can never be made totally safe as there will always be ways to circumvent safe_mode through libraries. This kind of functionality also better belongs in the web server or other security scheme. open_basedir is a feature that we will keep, and we will point users to this functionality in the error message that is thrown when we detect this setting on start-up.

Conclusions:

1. We remove the safe_mode feature from PHP.
2. We throw an E_CORE_ERROR when starting PHP and when we detect the safe_mode setting.

See http://www.php.net/~derick/meeting-notes.html#safe-mode for complete meeting minutes from that meeting. This is pretty much the nail in the coffin for safe_mode, seeing as how the PHP developers don't even believe in it/think it's a bad idea.
[img]http://www.nukedgallery.net/signature.jpg[/img]

 
Oldiesmann
Oldiesmann's picture

Joined: 2005-05-18
Posts: 151
Posted: Thu, 2005-12-15 02:15

Glad to see that PHP developers have finally realized how utterly useless and annoying safe mode is. Let's hope they actually incorporate those changes :)

The Oldiesmann
SMF Support Specialist
SMF+G2 Integration Project

 
tempg

Joined: 2005-12-17
Posts: 1857
Posted: Sat, 2005-12-17 14:49

i'm new to gallery and new to php, etc. i don't understand what's at issue here. what information is venerable and needing to be protected? is it the photos themselves being subject to unauthorized access/stealing? is it usernames and passwords subject to being taken by unauthorized third parties? is it data entered when a user is utilizing the cart and providing cc information? i have no idea what issue is at the root of this forum. please respond. thanks!

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Sat, 2005-12-17 15:02
 
pierma

Joined: 2006-01-02
Posts: 1
Posted: Mon, 2006-01-02 11:18

Hello,
I run a little ISP specialized in hosting game and fantasy related websites. I have more than 250 hosts, most of them with a domain, some as subdirectories of some "generalized" domains. I'm a pro - I have also some customers (also important ones like members of political parties) so the server is weel cared of about security issues.
It has safe mode activated and no CGI permissions (if not on some websites run by people whom I trust both personally and technically).
I intalled for me and a couple of friends a gallery - I modified it a little (just a couple of lines and some tweaking of dir permissions and apache/php configuration on the website) and it works fine in safe mode so, I suppose it should not be an issue so big.
Also: I recently made a little ecommerce system - it manages images of products. Well, in safe mode I was able to call imagemagick programs with all needed pipings and (someone wonders about it) save all the image data NOT on the file system (source of possible security flaws in my opinion) but in the MySQL db as blob data.
Thanks kallisti emailsign kallisti punctuationmark it

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Mon, 2006-01-02 14:09

@storing the images in the database
of course you can do that but storing a large amount of binary data which is retrieved highly frequently will have a large impact on the server load of the database server. the database is usually already the bottleneck for php/db applications, the same goes for G2. so this practise is strongly discouraged, not just by us.

@other safe_mode restrictions:
please submit patch(es) for G2 and we'll happily look if we can use them to have a G2 flavor that runs with safe_mode on.

but the main point is that if you are really concerned about security, you shouldn't rely on php safe_mode. Use php-fastcgi + suexec + apache2 + chroot jails to create a secure environment for your customers.
http://codex.gallery2.org/index.php/Gallery2:Security#What_about_PHP_safe_mode.3F

 
fredmadison

Joined: 2006-01-31
Posts: 2
Posted: Tue, 2006-01-31 22:18

Does anybody know a good alternative to gallery2 which does support php safe_mode. I'm not willing to change ISP though I like the looks of gallery2.

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Tue, 2006-01-31 23:35

i guess coppermine works with safe_mode on, maybe plogger too

 
fredmadison

Joined: 2006-01-31
Posts: 2
Posted: Wed, 2006-02-01 11:00

coppermine looks oke! thnx for the help I'll try to get that one working

 
ralarsen
ralarsen's picture

Joined: 2006-02-02
Posts: 1
Posted: Thu, 2006-02-02 15:56

I've read the whole discussion!
Why don't you make a "non-secure" version of Gallery, which would work even with safe_mode on?

I'm desperately looking for another gallery, but no photo gallery is near as good as Gallery! I've tried Coppermine, which seems to be the next most popular, but it's not half as good as Gallery!

Please reply if someone knows an almost as good gallery out there!!!
/Rasmus

 
dmolavi
dmolavi's picture

Joined: 2002-12-05
Posts: 573
Posted: Thu, 2006-02-02 16:11

First, I doubt that any reputable software dev team would purposely release a less secure version of their product. Two versions means more support issues, plus potential liability issues as well.

Second, such a version would not be as feature rich as the version currently offered.

Additionally, it's not as simple as removing a few lines of code here and there...esp. for G2, it would require an extensive audit and potentially many hours rewriting code.

[img]http://www.nukedgallery.net/signature.jpg[/img]

 
bharat
bharat's picture

Joined: 2002-05-21
Posts: 7993
Posted: Thu, 2006-02-02 23:39

I would love to see somebody make a version of Gallery that works with safe mode enabled. If you're interested, please contact the dev team.

 
djmaze

Joined: 2005-08-28
Posts: 17
Posted: Wed, 2006-02-22 01:34
sisp wrote:
I am an ISP / ASP in the United States. We've been around since 1994 and have several thousand customers hosting sites from all around the world, handling all sorts of applications. I'm also a programmer that has received "Editor's Choice" in PC Magazine for my work, so I know about writing solid software and making it commercially marketable and secure.

Your resume doesn't impress me nor others.
How much money are you able to bet that i can't write PHP scripts that get around your safe_mode, would i become millionair? (because it IS possible)

"since 1994" and still no knowledge about hosting, sorry but that sounds just like any other hosting provider.

I'm ashame that i've also received awards in magazines (including 4 pages wide articles about it) when i see comments likes yours. You only brag about it if you "need" recognition. So in this case i adore valiant cos he doesn't know how many, just like i don't know. That comment realy pissed me off.

bharat wrote:
I would love to see somebody make a version of Gallery that works with safe mode enabled. If you're interested, please contact the dev team.

already did a tech note: http://gallery.menalto.com/node/44797