Good points. Since php 5, the underlying security mess has greatly improved. As with all tools, the application really matters. <br><br>I am particularly pleased with the existence of the selinux wrapper as this will provide a (potentially) solid wall between the privilege escalation attempt and actual access.<br>
<br>It will be a near vertical learning curve to squeeze many common php apps into a selinux armor suit. <br><br><div class="gmail_quote">On Wed, Jun 6, 2012 at 5:12 AM, Leam Hall <span dir="ltr"><<a href="mailto:leamhall@gmail.com" target="_blank">leamhall@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 06/05/2012 11:48 PM, Jim Kinney wrote:<br>
> <a href="http://koji.fedoraproject.org/koji/packageinfo?packageID=7917" target="_blank">http://koji.fedoraproject.org/koji/packageinfo?packageID=7917</a><br>
><br>
> There is a selinux package for php that can be used to wrap it with<br>
> kernel armor that, in an selinux way, can be used to block privilege<br>
> escalations and unauthorized file writes.<br>
><br>
> It still requires an selinux guru to totally hack the rules into a<br>
> custom form for a web app but the wrapper does exist.<br>
><br>
> This would make drupal and wordpress not quite so scary to run.<br>
><br>
<br>
</div>The difference between PHP and most other web facing languages is usage,<br>
not vulnerabilities. Because PHP is used to interact with users, and<br>
abusers, there will always be issues with how the code is written.<br>
<br>
While PHP has room for improvement, I have not seen that the language<br>
itself is any worse than the other scripting languages out there.<br>
<br>
The key issue is that PHP scripts run as the webserver and you have to<br>
code heavily against privilege escalation outside of what your webpage<br>
should do.<br>
<br>
Leam<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><br>As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as
they please, and those who survive will be left to contemplate the
outcome.<br>- <i><i><i><i>2011 Noam Chomsky<br><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i><br>