The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[security] php and perl filesystem commands

Discussion in 'Security' started by Radio_Head, May 8, 2003.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Hello,

    waiting from Darkorb to have chrooted user (I hope soon:( )
    to reduce risk from php files using filesystem commands (in other words filesystem commands=ssh via php/perl) I use "php safe mode on" .

    Unluckly I/we are still not safe from users which use perl filesystem commands to browse other users catching code and passwords ... In fact if , I am not wrong , doesn't exist something similar to "php safe mode on" with Perl .

    I red that probably there should be something similar to "php safe mode on" on Perl 6 , but for now we have to provide open shared boxes ..

    What could we do to be more safe from
    perl filesystem commands waiting to have users chrooted or waiting to have perl 6 ?
     
  2. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    We have safe_mode off on all boxes for obvious reason. Nothing works if its on. Too many users complain and Squirrel will not work. I think most people here have to be running safe_mode=off otherwise nobody would be running anything on Cpanel because its so not suited for it to be off. If you have 300+ users per box then you can show me a server that runs safe_mode=on. Impossible!
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    We are exiting from the discussion topic (does exist something similar to php safe mode on for perl ?...) :p , however ....
    I use php safe mode on and at this time I losed 0 clients due to this reason .

    When a client ask me why php safe mode on (it happened rarely) , I explain that it's turned on to guarantee privacy of his data . Same thing when a client ask me to have ssh .

    And if have a client which ask you "php safe mode off"
    and you can trust him , you can turn "php safe mode off" only for him , in 1 second adding 1 line on httpd.conf .


    I cannot think a shared server without php safe mode on :eek: !
    php is really popular at this time (much more than perl)
    and the malicious players are near you !


    Install this http://www.digitart.com.mx/php/myshell/
    on your box . Edit shell.php to enable pico .
    Then execute it on a user account .... and see how is easy to do almost everything .
     
    #3 Radio_Head, May 9, 2003
    Last edited: May 9, 2003
Loading...

Share This Page