2

I' having a trouble with reaching(including) a folder outside the httpdocs folder for a domain hosted in a CentOS server provided with a Plesk control panel.

I knew that I will have to disable the php safe mode. So what is the risks of disabling it?

I have to balance security risks and choose the best for this case. Since the main reason that I want to hide most of my application-script (php of course, and it's zend-framework based) behind the httpdocs folder that putting them in it will expose some security risks, which can't be ignored but still affects only this website.

So, Is safe_mode = Off affects the other websites on the my VPS account from the security wise? If it affects all of my account, why it can be set per domain not per account?

Thank you

PS. I really hope this is not a duplicate question.

Omar Al-Ithawi
  • 180
  • 1
  • 9

1 Answers1

5

The PHP safe mode will be deprecated with PHP 6.0 and the PHP developers have not been happy with it for a long time. For example read the article PHP's safe_mode or how not to implement security which has been written by the release manager for PHP 5.2.

I think there are by far better methods to secure a PHP installation. I'm using SuPHP (or SuExec in conjunction with FastCGI) and the open_basedir restrictions of PHP to secure my installation and it hast worked quite well so far. No real need for safe_mode which IMHO only restricts you as a user and developer but doesn't provide real security.

joschi
  • 20,747
  • 3
  • 46
  • 50
  • 2
    You're right: safe mode gives no security, only headache :) It *might* save you from some buggy scripts' stupidest vulnerabilities, but while having these be sure there'll be more & more. Just don't use 3rd party scripts without looking thru bugtracks & reviews. – kolypto Dec 11 '09 at 22:53