Do you allow PHP with Safe Mode off?

Guest

I would like to be able to run the mailing list app PHPList, but I read that it needs PHP to be running with safe mode off if it is to work properly. Do you allow that? I believe the same issue applies to some PHP apps too.

NetHosted Staff Joined: 22 Mar 2004 Posts: 5684

Hi,

Thanks for your interest in NetHosted. I can confirm safe_mode is off, and that we have PHPList available to install via Fantastico, so you can get it up and running with just a few clicks of your mouse.

Hope that helps,

Andrew

Guest

Thanks, that sounds very promising. Just out of interest though, I read that most shared host providers do not allow PHP to be run with safe mode off because of security issues. Now I'm not trying to catch you out here, but it would be interesting to hear your view on that. Perhaps you have other measures in place to avoid the alleged security risk?

NetHosted Staff Joined: 22 Mar 2004 Posts: 5684

Hi,

Safe mode has inherent side effects, the benefits it offers are outweighed by these we've found in our experience.

Thanks,

Andrew

Guest

Could you be a bit more specific about the side effects (of having safe mode ON) and the benefits (of having safe mode OFF), with particular reference to security. Off course it is great that PHPList can run properly with safe mode off, but if that means my subscriber database is liable to be exposed to hackers or that hackers could spam my subscribers then I would be concerned.

NetHosted Staff Joined: 22 Mar 2004 Posts: 5684

There is no need, we can enable safe mode for your account if you are concerned

How many people are on the list? A large list could be a problem you see. If the volume of emails sent is too high your account might not be suitable to be hosted in a shared environment.

Andrew

Posted: Sat Oct 14, 2006 9:12 pm Post subject:

It's my understanding that safe mode primarily prevents people from being able to access files they might not be supposed to using PHP (which in a lot of cases is useless, since they can do it with another language anyway). It causes an awful lot of hassle having to CHMOD 2777 things and in a lot of cases that will make sites a lot more at risk to outside attackers.

If I recall, PHP6 will remove Safe Mode anyway (as well as register_globals) -- it's not a great loss.

Mike

Guest

Posted: Sat Oct 14, 2006 9:44 pm Post subject:

This article

, whilst a couple of years old, provides some interesting insights into the topic.

Even Rasmus Lerdorf, the originator of PHP, is reputed to have said, "the biggest problem with safe mode is that people use it".

Posted: Sat Oct 14, 2006 9:47 pm Post subject:

As is mentioned in Hollywood movies all the time: nothing is completely secure.

You don't often hear of any problems though. The point is more that if someone knew how to access your files through PHP with safe mode off, having safe mode turned on wouldn't stop them anyway (they would know enough that they don't need PHP to do it).

It's not the only method of security in any case. I've never actually tried, but I should imagine that if I were to put a PHP app on my account on Pluto right now, and tell it to delete all the files on someone elses account, it wouldn't work (heck, I'd be surprised if it would even work on my own account without first setting some permissions, even with safe mode off).

I think the general concencus is that no data on any type of server, save perhaps a completely cut-off-from-the-outside-server-simply-for-internal-use, is ever entirely secure. That's why we encrypt sensative data.

Mike

NetHosted Staff Joined: 22 Mar 2004 Posts: 5684

NetHosted Staff Joined: 22 Mar 2004 Posts: 5684

Client Support	Community	Server Status	Contact Us	Client Login
Email Hosting	Website Hosting	Reseller Hosting	VPS Hosting	Dedicated Servers