Shared Servers (Was: mod_perl presence at OSCON (and other CONs) is at danger)

[Chris Shiflett <sh...@php.net>]

--- Perrin Harkins <pe...@elem.com> wrote:
> Actually, as I understand it, PHP has all the same problems. There
> is a "safe mode", but enabling it tends to break things, so many
> ISPs turn it off. Even with it on, I believe you can still redefine
> core functions at will, not to mention just coding something that
> will chew CPU or RAM until the server dies or an rlimit kills your
> process. I've been told that many PHP hosts actually run PHP
> through CGI for this reason. Please correct me if I'm wrong, Chris.

Pretty much, except for the purpose of safe_mode (which is probably the
most poorly named directive). The cheap Web hosts I've used seem to be
pretty good at suspending any account that is abusing its privileges (and
they will usually revoke it after investigating a bit further). So, I've
never had a problem with other users on the server adversely affecting my
experience. But, I think I keep my expectations in check when paying
$5-$10 a month.

The safe_mode directive is something that tries to address a specific
security problem, but it doesn't solve it at all. On a shared server, it's
pretty easy to write a PHP script (http://shiflett.org/code/browse.phps)
that will let you browse the filesystem with Apache's privileges. A lot of
PHP developers develop their business logic separate from presentation,
and they store these files outside of the Web tree. Of course, if you can
include this code from other scripts, it means Apache can read them, and
thus, so can my script. :-) With safe_mode, my PHP script won't work.
Problem solved? Not for me, since I also know Perl, and Perl doesn't care
about php.ini. :-) Of course, even a simple Bash CGI would work just fine.

So, I think safe_mode is both poorly named and useless. If someone *only*
knows PHP, they're not really the type of person I'm worried about anyway.

> Regardless, let's not go picking fights with PHP. PHP and Perl have
> a lot in common, and I would rather see people use PHP than a
> proprietary system. It's not necessary to attack PHP in order to
> promote Perl.

I think both are great. There is plenty to hate in PHP, and once you've
reached a certain point, you're aware of all the shortcomings pretty well.
:-) I have complaints about CVS, too, but I still use it. It's familiar
and gets the job done.

If you want to start picking fights with Java or Microsoft stuff, count me
in. :-)

Chris

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html