Hosting

Allthegearnoidea

Joined: 2009-08-01
Posts: 5

Posted: Tue, 2009-08-04 07:25

Hi

I was just wondering what people's thoughts were on this. I asked my regular host whether or not they supported Gallery 2 and got this reply:

"Unfortunately Gallery2 requires PHP Safe Mode Off.

This means you're not likely to find any "real" hosts able to support it, as none of us allow insecure/poorly-written scripts on our hosting platforms, for the safety and security of all our clients.

You would either have to rethink your photo software, or take a high-end VPS/Dedicated-Server so your site couldnt affect other users of the systems."

Is this actually true? Are all the users of Gallery actually running unsecure sites or is this just nonsense.

Wondered what others thoughts were.

ckdake

Joined: 2004-02-18
Posts: 2258

Posted: Tue, 2009-08-04 13:00

I run a hosting company and while some may not consider it "real", I host over 100 sites so it's a couple. No safe mode for me, I use a setup for security based on:

http://ckdake.com/content/2008/php-security-round-2.html

and one of the pages that links to, and have not had any problems ever during 3+ years of operation. My Gallery is at http://ckdake.com/gallery/ and it's running in the exact same environment as my customers who often do not run security updates, so I trust that those protections are enough to keep my data safe.

http://us3.php.net/features.safe-mode has a little bit of info, and shows that safe mode was removed from PHP in version 6, so it wasn't worth keeping around to the PHP team. Here's a good discussion on this site from 2003/2004:

http://gallery.menalto.com/node/3017

that explains why safe mode and Gallery don't get along.

Basically, due to the 3 bullet points in that forum topic and not for any "insecure/poorly-written" reason, we can't guarantee that Gallery will work with safemode on and because we take consistency of our users data very seriously, we try and prevent people from using Gallery with safemode.

____
http://ckdake.com/ - If you found my help useful, please consider donating to Gallery.

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Tue, 2009-08-04 13:13

Unfortunately Allthegearnoidea, it's your host who isn't a "real" host . They don't have a clue what they are doing, nor do they know what's happening with the software they're running on their servers. Safe_mode has actually been deemed a bad idea (or a good idea on paper, implemented poorly) by the php developers and is going away in PHP 6.0 as ckdake has already stated.

If they, like most hosts, allow other languages like perl, you've just bypassed almost everything safe_mode was trying to stop No open_basedir restrictions for perl, no binary execution restrictions in perl. Yep, you can do pretty much everything safe_mode for PHP was trying to stop in most other languages, perl, python, etc
http://us3.php.net/manual/en/features.safe-mode.functions.php

My advice, get a real host who knows what they are doing:
http://gallery.menalto.com/node/88391#comment-310594

____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

Allthegearnoidea

Joined: 2009-08-01
Posts: 5

Posted: Sun, 2009-08-09 19:22

Thanks for the replies. I had a sneaking suspicion that they were talking cr*p.

Thanks very much for all the links too, I'm a techie numbskull so it's good to understand some of the background so I don't just have to take what hosting companies say from now on

Thanks again

Allthegearnoidea Joined: 2009-08-01 Posts: 5	Posted: Tue, 2009-08-04 07:25
	Hi I was just wondering what people's thoughts were on this. I asked my regular host whether or not they supported Gallery 2 and got this reply: "Unfortunately Gallery2 requires PHP Safe Mode Off. This means you're not likely to find any "real" hosts able to support it, as none of us allow insecure/poorly-written scripts on our hosting platforms, for the safety and security of all our clients. You would either have to rethink your photo software, or take a high-end VPS/Dedicated-Server so your site couldnt affect other users of the systems." Is this actually true? Are all the users of Gallery actually running unsecure sites or is this just nonsense. Wondered what others thoughts were.
	XUser login Username: * Password: * Create new account Request new password
ckdake Joined: 2004-02-18 Posts: 2258	Posted: Tue, 2009-08-04 13:00
	I run a hosting company and while some may not consider it "real", I host over 100 sites so it's a couple. No safe mode for me, I use a setup for security based on: http://ckdake.com/content/2008/php-security-round-2.html and one of the pages that links to, and have not had any problems ever during 3+ years of operation. My Gallery is at http://ckdake.com/gallery/ and it's running in the exact same environment as my customers who often do not run security updates, so I trust that those protections are enough to keep my data safe. http://us3.php.net/features.safe-mode has a little bit of info, and shows that safe mode was removed from PHP in version 6, so it wasn't worth keeping around to the PHP team. Here's a good discussion on this site from 2003/2004: http://gallery.menalto.com/node/3017 that explains why safe mode and Gallery don't get along. Basically, due to the 3 bullet points in that forum topic and not for any "insecure/poorly-written" reason, we can't guarantee that Gallery will work with safemode on and because we take consistency of our users data very seriously, we try and prevent people from using Gallery with safemode. ____ http://ckdake.com/ - If you found my help useful, please consider donating to Gallery.

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Tue, 2009-08-04 13:13
	Unfortunately Allthegearnoidea, it's your host who isn't a "real" host . They don't have a clue what they are doing, nor do they know what's happening with the software they're running on their servers. Safe_mode has actually been deemed a bad idea (or a good idea on paper, implemented poorly) by the php developers and is going away in PHP 6.0 as ckdake has already stated. If they, like most hosts, allow other languages like perl, you've just bypassed almost everything safe_mode was trying to stop No open_basedir restrictions for perl, no binary execution restrictions in perl. Yep, you can do pretty much everything safe_mode for PHP was trying to stop in most other languages, perl, python, etc http://us3.php.net/manual/en/features.safe-mode.functions.php My advice, get a real host who knows what they are doing: http://gallery.menalto.com/node/88391#comment-310594 ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

Allthegearnoidea Joined: 2009-08-01 Posts: 5	Posted: Sun, 2009-08-09 19:22
	Thanks for the replies. I had a sneaking suspicion that they were talking cr*p. Thanks very much for all the links too, I'm a techie numbskull so it's good to understand some of the background so I don't just have to take what hosting companies say from now on Thanks again

XUser login