Gallery must run on SAFE MODE.

TheWatcher
TheWatcher's picture

Joined: 2002-08-21
Posts: 120
Posted: Thu, 2002-08-22 15:21

Hi there!

Suggestion for gallery 2.x release. It would be best if gallery 2.x will be able to support SAFE MODE ON.

Webhosting company need to tweak some apache and webappliance configuration to provide additional security if SAFE MODE IS OFF.

The cons of making it safe mode off is - a malicious users will be able to create php scripts and do damage to your server such as stopping services, adding cron jobs to make your system vulnerability.

The safemode off is only applicable to standalone user of the server or trusted users of the server.

Just another opinion of gallery afficionados.

regards,
TheWatcher.

 
ill
ill's picture

Joined: 2002-08-15
Posts: 756
Posted: Fri, 2002-08-23 05:34

Unless you run an old version of PHP, even Gallery 1.3 now supports SAFE_MODE Off.

 
TheWatcher
TheWatcher's picture

Joined: 2002-08-21
Posts: 120
Posted: Fri, 2002-08-23 17:24
Quote:
Unless you run an old version of PHP, even Gallery 1.3 now supports SAFE_MODE Off.

Gallery will not work if safe mode is off. If this work with your installation. I am requesting a step by step approach so we can share this to everyone. I'm been installing gallery almost everyday (for my client and client to be) ..I need to make safe mode ON to accomplish the task.

Let me know and thanks.

 
vallimar

Joined: 2002-08-15
Posts: 487
Posted: Sat, 2002-08-24 02:50

The FAQ explicitly states that Gallery will not run under Safe Mode.
And plenty of people have proven that this is so. Therefore, as TheWatcher
says, if you have proof otherwise, please share.

 
bharat
bharat's picture

Joined: 2002-05-21
Posts: 7994
Posted: Sat, 2002-08-24 04:13

It might be possible to get G2 to work with safe mode off. I've had some thoughts on that; I think the only thing holding it back is that the way that we do the NetPBM code. When I next go through the graphics code I'll see about changing the way it works so that it doesn't try to do any output redirection. If I can get that to work reliably on all platforms then we may be able to remove the safe mode restriction. Don't hold your breath though, it's not a trivial hack.

 
TheWatcher
TheWatcher's picture

Joined: 2002-08-21
Posts: 120
Posted: Sat, 2002-08-24 05:04
Quote:
It might be possible to get G2 to work with safe mode off. I've had some thoughts on that; I think the only thing holding it back is that the way that we do the NetPBM code. When I next go through the graphics code I'll see about changing the way it works so that it doesn't try to do any output redirection. If I can get that to work reliably on all platforms then we may be able to remove the safe mode restriction. Don't hold your breath though, it's not a trivial hack.

bharat,

I'll be the first one to test G2 when it's ready. Great ...

Right now, I only apply SAFEMODE OFF if clients require to use gallery. There are some script kiddies ready to exploit any system that SAFEMODE OFF.

Way to go for G2....

 
firebird_be

Joined: 2002-08-27
Posts: 1
Posted: Tue, 2002-08-27 09:30

My ISP is not (yet) in safe mode, but doesn't allow the exec() command. A lot of things have been disabled for security reasons ... The main result is that I cannot run the compiled libraries :sad:

The one thing he sure wants to allow is the PHP-built in GD-libraries. I know that the results of these routines are not that fantastic (I've read the dedicated page on the advantages of NetPbm), but maybe you could have an option that allows users to use the GD-libraries instead of NetPbm, in case of any security problem.

I first thougt I was saved, when I tried to follow the steps to hack Gallery for use with Imagemagik, but that package is also disabled by my ISP ...

I've been doing some reading about GD in Php, and one of the reasons mentioned for choosing NetPbm is the rotating feature. If I read well, the GD-libraries are now capable of doing that too :smile:

I don't know if it is hard work to do so. If I read the instructions to change to Imagemagik, it doesn't seem that hard (lol), maybe that would be a (non-standard) option for users who's ISP isn't that keen on leaving his security policy :smile:

I guess that besides the open_base_restriction, there are not that many other problems when the server is in safe mode ? (forgive me if I'm wrong)