I am setting up a new server it runs red hat 7.3 php 4.2.2 I am getting errors on a script that tells me that safe mode is on. I have turned it off in php.ini but when I check phpinfo() it tells me that the master value for safe mode is off but the local value is on. how do I turn it off. also I only have one php.ini file and have not been able to get a php.ini recomended for php 4.2.2 for production servers
thanx dave
Off-Topic: but why do many hosts leave the safe-mode on as a default?
Off-Topic: but why do many hosts leave the safe-mode on as a default?
From the manual located at: http://www.zend.com/manual/features.safe-mode.php
The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now.
Basically, when safe_mode is on, PHP disables some functions and adds checks, for example, if the owner of the current script matches the owner of the file to be operated on by a file function. With safe_mode off, in a shared environment, everyone's scripts run with the rights of the Apache daemon. This leads to serious security implications, as any user may be able to easily read any file Apache has access to. Users of the shared server are given the ability to view, and possibly write to, your files, which may include sensitive information such as MySQL passwords etc.
The below is quoted from our page which admittedly promotes our new Secure_Mode feature, an alternative to the restrictive behavior of PHP's safe_mode. It may help to answer your question...
Server administrators, especially those operating within a shared environment for hosting communities, have been plagued with the arduous task of deciding what to do with PHP's safe_mode functionality. Traditionally, there are only four options for these administrators to choose from; a) turn off safe_mode completely which leads to serious security implications, b) run every account with their own unique Apache/PHP daemon which is usually unrealistic when considering server loads and stability, c) require every site owner to run their PHP scripts as a CGI process which again leads to server load and stability issues, or d) enable PHP's safe_mode which, though secure, restricts the site owner's choices as to which scripts will and will not operate on the server.
[ continued at http://www.FutureQuest.net/Safe_Mode_Off.php ]
For the majority of hosts out there this is a tough issue. If they have safe_mode off, they may be opening up their clients to some pretty steep security leaks. If they have it on, clients like dave run into snags due to the restrictive nature of it. We, as a host, had to put a LOT of energy into solving that dilemma for our own clients but our solutions are not easily available for 'all hosts in general' because not all of our changes are completed within PHP but rather within the overall server core. It would take an admin with the correct server setup and knowledge to be willing to modify a bit more than the PHP Source alone. FutureQuest's Secure_Mode for PHP is a multi-layered, multi-component, subsystem that has hooks into several different areas of our core operations. This can make it difficult for most shared server admins to integrate our "special tools" into their own shared server cores. So be kind to the admins that have chosen to set safe_mode on because really, they are doing the RightThing(TM) for their clients. 