什么理由应该让人们开启/关闭PHP Safemode?
[英]When or for what Reasons should folks turn PHP Safemode ON/OFF?
问题描述
Question about PHP safe-mode: 
关于PHP安全模式的问题:
By default it is switched on in PLESK shared-hosting account environment: While on my site seems to work fine, but maybe it will work faster/better when off? 默认情况下,它在PLESK共享主机帐户环境中打开:虽然在我的网站上似乎工作正常,但也许它会在关闭时更快/更好地工作? I dont understand the below text very well, especially PHP's explanation: 我不太了解下面的文字,特别是PHP的解释:
PLESK: PLESK:
By default, PHP is configured to operate in safe mode with functional restrictions.
PHP.net: PHP.net:
This feature has been DEPRECATED as of PHP 5.3.0.
Question1: When/for what reasons should folks turn Safemode ON? 问题1:何时/出于什么原因人们会将安全模式打开?
Question2: When/for what reasons should folks keep Safemode OFF? 问题2:何时/出于什么原因人们应该保持安全模式关闭?
2 个解决方案
解决方案1
7 已采纳 2011-02-03 14:06:37
Turn it off. 把它关掉。 Always leave it off. 永远不要离开。
It was designed way back when as a way to make PHP safe to use on mass hosts, and let the hosts "lock down" PHP. 它的设计方式是作为一种使PHP在大众主机上安全使用的方法,并让主机“锁定”PHP。
But over time, it was realized that this didn't really work, and didn't really solve the problem anyway. 但随着时间的推移,人们意识到这并没有真正起作用,并且无论如何都没有真正解决问题。 There are better system-level ways of securing servers. 有更好的系统级方法来保护服务器。 So PHP is removing the functionality in the next major version and has it deprecated. 所以PHP正在删除下一个主要版本的功能,并且已弃用。
So to directly answer your questions: 所以直接回答你的问题:
When should folks turn it on: 大家什么时候打开它:
Never. 决不。 It doesn't really work, and it limits what you can do with PHP in a sane way, so just don't turn it on. 它并没有真正起作用,并且它以一种理智的方式限制了你可以用PHP做什么,所以不要打开它。
When should folks keep it off: 人们应该什么时候关闭它:
Always. 总是。 It doesn't really work, so there's no point to turning it on... 它没有真正起作用,所以没有必要打开它......
That's my $0.02 anyway... 那是我的0.02美元......
Edit: Some references 编辑:一些参考
Everything you can do to a server, you can do with Safe Mode on, including: It's possible to write to the webserver anyway . 你可以对服务器做的一切,你可以使用安全模式,包括: 无论如何都可以写入网络服务器 。 So what's the point? 那有什么意义呢?
A mailing list thread from PHP about removing it in 6 PHP的邮件列表线程,关于在6中删除它
Edit2 : About speed: Edit2 :关于速度:
The speed difference is likely to be trivial at best. 速度差异最多可能是微不足道的。 It's no more than a micro-optimization. 它只不过是微观优化。 You're going to get a far bigger gain by writing your code well than worrying about a specific configuration option such as this. 通过编写代码可以获得更大的收益,而不是担心像这样的特定配置选项。 Don't worry about the speed difference at all. 根本不用担心速度差异。 Build your application properly, and worry about speed later. 正确构建应用程序,并在以后担心速度。 Not to mention that the choice of front end web server (Apache, IIS, Lighttpd, NginX, etc) and SAPI (mod_php, CGI, FastCGI, etc) will make a far bigger difference than safe_mode ever can... 更不用说前端Web服务器(Apache,IIS,Lighttpd,NginX等)和SAPI(mod_php,CGI,FastCGI等)的选择将比safe_mode产生更大的差异......
解决方案2
2 2011-02-03 14:09:27
Safe mode adds some limits to filesystem-related functions and process handling features (and some totally unrelated cURL options). 安全模式为文件系统相关功能和进程处理功能(以及一些完全不相关的cURL选项)添加了一些限制。 It's nowadays considered pointless, as it can be circumvented on shared hosting servers by resorting to Perl or Python or bash-CGIs. 它现在被认为是毫无意义的,因为它可以通过使用Perl或Python或bash-CGI来绕过共享主机服务器。 Professional hosters use suexec and mod_chroot rather. 专业的主机使用suexec和mod_chroot。
It can be beneficial if you want to run outdated scripts however (wether that's a good idea is open for discussion). 如果你想要运行过时的脚本,那将是有益的(这是一个好主意可供讨论)。 While it doesn't solve all problems, the limitations can help to mitigate risks. 虽然它没有解决所有问题,但这些限制可以帮助减轻风险。 It's thus a best effort solution like mod_security. 因此,这是一个尽力而为的解决方案,如mod_security。
As far as speed is concerned; 就速度而言; it's measureable but not significant. 它是可测量但不重要的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.