Why Safe Mode?

mikev

Joined: 2003-05-21
Posts: 2

Posted: Wed, 2003-05-21 22:44

Ok... Having realized the extent to which Safe Mode opens up a shared server, I'm questioning the reason why safe mode needs to be off.

The only thing I can come up with that might need safe mode to be off is the need to be able to write files (uploaded images) as the apache user, when the apache user doesn't own the directory to which it is writing to. Or anything else related to creating or moving files around in directories not owned by the apache user.

Is this it? Are there any other things that require safe mode to be off? Can this be worked around by doing a recursive chown on the albums directory, and a chown on the temp directory, to the apache user?

Basically I'm looking for a way - other than CGI PHP - to be able to have a secure shared server while allowing Gallery to run.

- Mike

alindeman

Joined: 2002-10-06
Posts: 8194

Posted: Wed, 2003-05-21 22:53

Quote:

The only thing I can come up with that might need safe mode to be off is the need to be able to write files (uploaded images) as the apache user, when the apache user doesn't own the directory to which it is writing to. Or anything else related to creating or moving files around in directories not owned by the apache user.

Unfortunately, there is something else -- the ability to execute commands. Safe mode disables this, so Gallery cannot resize pictures any more

bharat

Joined: 2002-05-21
Posts: 7985

Posted: Wed, 2003-05-21 22:54

Read this forum post:
http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=2848

And this news article:
http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=67&mode=thread&order=0&thold=0

for in-depth discussions of safe mode and why gallery requires it.

mikev

Joined: 2003-05-21
Posts: 2

Posted: Wed, 2003-05-21 23:41

Well, since it's required, I guess the only solution for me is to go to CGI PHP with safe mode off. All sites on my server have their own chroot'ed jails, but since Apache is running at the true root level, and PHP is an apache module, it's also running at the true root level, so safe mode is required to prevent sites from getting outside their jails.

Thanks for the info!

- Mike

mikev Joined: 2003-05-21 Posts: 2	Posted: Wed, 2003-05-21 22:44
	Ok... Having realized the extent to which Safe Mode opens up a shared server, I'm questioning the reason why safe mode needs to be off. The only thing I can come up with that might need safe mode to be off is the need to be able to write files (uploaded images) as the apache user, when the apache user doesn't own the directory to which it is writing to. Or anything else related to creating or moving files around in directories not owned by the apache user. Is this it? Are there any other things that require safe mode to be off? Can this be worked around by doing a recursive chown on the albums directory, and a chown on the temp directory, to the apache user? Basically I'm looking for a way - other than CGI PHP - to be able to have a secure shared server while allowing Gallery to run. - Mike
	XUser login Username: * Password: * Create new account Request new password
alindeman Joined: 2002-10-06 Posts: 8194	Posted: Wed, 2003-05-21 22:53
	Quote: The only thing I can come up with that might need safe mode to be off is the need to be able to write files (uploaded images) as the apache user, when the apache user doesn't own the directory to which it is writing to. Or anything else related to creating or moving files around in directories not owned by the apache user. Unfortunately, there is something else -- the ability to execute commands. Safe mode disables this, so Gallery cannot resize pictures any more

bharat Joined: 2002-05-21 Posts: 7985	Posted: Wed, 2003-05-21 22:54
	Read this forum post: http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=2848 And this news article: http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=67&mode=thread&order=0&thold=0 for in-depth discussions of safe mode and why gallery requires it.

mikev Joined: 2003-05-21 Posts: 2	Posted: Wed, 2003-05-21 23:41
	Well, since it's required, I guess the only solution for me is to go to CGI PHP with safe mode off. All sites on my server have their own chroot'ed jails, but since Apache is running at the true root level, and PHP is an apache module, it's also running at the true root level, so safe mode is required to prevent sites from getting outside their jails. Thanks for the info! - Mike

XUser login