My server's chief engineer sent an email to ask whether Reviewpost can operate with safe_mod_gid on. Here's an excerpt from a very long email he sent us due to the recent PHP configuration changes they made:
Quote:
file_uploads is fine, but if uploads are on, then either safe_mode or safe_mode_gid should be turned on, and care should be taken in design, so
that bad guys can't upload and then execute their own code.
safe_mode ensures that the site can only execute code owned by the site
owner. safe_mode_gid ensures that the site can only execute code owned by the site owner's group. MOST applications can run with one of these settings, it just takes a couple of minutes to correct ownership.
For every popular CMS, blog, calendar or other open-source website
tool, there are fifty kids scouring the code for holes and writing worms to
infect them and take them over. Apparently some kids just have too much
time on their hands. I'm not against the tools, I'm just urging extreme
caution in deploying them. The number of intrusions and compromises I've
seen on our customer servers due to this type of fast and loose configuration speaks for itself.
|
He had other issues with the allow_url_fopen but will compromise if one of the safe mode settings is set to on. Can this be done and create no problems running RP?