Safe Mode is deprecated as 5.3.0. I have never really required it and rather found it problematic many times in the past due to permission errors, etc.
However I now have a requirement where I think safe mode would have done great.
I have built a web application which is extensible via modules. I plan on hosting the system myself and allowing paying customers to extend their software by implementing and writing modules which hook into the various parts of the system.
My concern is, by doing so, I have no way of ensuring the code they uploaded is not scanning the foundation/framework I have spent literally years designing and testing. Keep the code proprietary is of great interest to me.
I write a module analysis tool to ensure no illegal methods are being invoked in third party modules - not easy!!!
I Disable harmful functions at the php.ini level but this includes fopen() and it's ilk - this means the framework won't be able to call it's own include() operations and such.
Lastly and sadly obsolete, safe mode to restrict user modules from being able to read files which do not share the same ID, group, etc.
What is the recommended approach to such a thing? Short of manually reviewing or auto-analysing each module before being executed in the context of my framework?
Its a good thing that
safe_modeis being removed. Its a false sense of secuirty, and there have been many ways to bypass it.A better approach is use suphp to run your application as a jailed user. This uses the security of the operating system to protect your application. Instead of banning
exec()andsystem(), you run your php code as an account that doesn't have access to a shell. Instead of banningfopen()you remove write privileges from everything owned by that userchmod 500 -R /. Or go a step further and run your application within a chroot.