Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Disable safe mode without loss of security ?
May 2, 2007, 6:42 am
rate this thread
I'm trying to disable safe mode from my php installation. First
because this functionality will be removed in PHP6, and because it's
very restrictive and it's giving me headaches when configuring
frameworks and other applications. Moreover, it's said on the php
website that the safe mode solution is not a good thing... I'm looking
for a tutorial which indicates what to configure on a server in order
to have a secured installation of PHP, but without safe mode. I can't
Thank you !
Re: Disable safe mode without loss of security ?
If you see the documentation of safe mode, you see it starts by saying
this really should be done on the server itself. However, this is
OS-specific, so it is not easy to give any details without knowing the
OS that will run the page.
In general, the web server itself will run as a user that is known to
the OS. This user should be given enough rights to run the site, but too
little rights to do more harm to the system. It mainly comes down to
rights management. The rights can (and should!) be set correctly on the
OS, but can (and should!) be given in the web server as well for the
One approach is to have a directory for your site that is accessible to
the web server process on OS-level, with a subdirectory in it that is
served, and therefore publicly accessible (called the web root, usually
"htdocs" or "www"). Deny directory browsing and set an index page on the
web server level. Put your library php files outside the web root, so
they can only be called from php, but never directly from a web browser.