PHP security Mode

Http://www.cnblogs.com/samson/archive/2011/08/08/2130550.html

PHP Safe Mode: Safe_mode=on|off
Enabling the Safe_mode directive will limit the language features that may be dangerous when using PHP in a shared environment. You can refer to Safe_mode as enabled for Boolean on or set to off disabled. It compares the UID of the script UID (user ID) and the file that the script tries to access as a basis for the throttling mechanism. If the UID is the same, the script is executed; otherwise, the script fails.
Specifically, when security mode is enabled, some restrictions will take effect.
1. The applicability of all input and output functions (such as fopen (), file (), and require ()) is restricted to files that have the same owner as the script that invokes the functions. For example, assuming that Safe mode is enabled, if Mary owns a script that calls fopen () and tries to open a file owned by JONHN, it will fail. However, if Mary has not only a script that calls fopen () but also a file called by fopen (), it succeeds.
2. If you attempt to execute a script through function popen (), System (), or exec (), it is possible only if the script is located in the directory specified by the SAFE_MODE_EXEC_DIR configuration directive.
3. HTTP authentication is further enhanced because the UID used by the authentication script is scoped to the validation domain. Additionally, Php_auth is not set when Safe mode is enabled.
4. If the MySQL database server is applicable, the user name used to link the MySQL server must be the same as the name of the file owner who called Mysql_connect ().
Safe mode and disabled functions
The following is a complete list of the functions, variables, and configuration directives that are affected when the Safe_mode directive is enabled:
Apache_request_headers () Backticks () and anti-quote operator CHDIR ()
CHGRP () Chmode () Chown ()
Copy () Dbase_open () Dbmopen ()
DL () exec () Filepro ()
Filepro_retrieve () Filepro_rowcount () fopen ()
Header () Highlight_file () ifx_*
ingres_* link () Mail ()
Max_execution_time () mkdir () Move_uploaded_file ()
Mysql_* parse_ini_file () PassThru ()
Pg_lo_import () Popen () Posix_mkfifo ()
Putenv () rename () Zmdir ()
Set_time_limit () shell_exec () Show_source ()
Symlink () system () Touch ()

Here are some configuration options related to Safe mode
Safe_mode_gid=on|off
The secondary instruction modifies the behavior of the safe mode, that is, verifying the UID from before execution to the validation group ID. For example, if Mary and John are in the same user group, Mary's script can call fopen () on John's file.
Safe_mode_include_dir=string
You can use directive Safe_mode_include_dir to indicate multiple paths in which safe mode will be ignored when Safe mode is enabled. For example, you can use this function to specify a table of contents with different templates, and the acknowledgements template may be followed by some user sites. You can specify more than one directory, separated by colons in the Unix-based system, separated by semicolons in Windows.
Note that if you specify a path but do not include the last slash, all directories under that path will ignore the Safe mode setting. For example, if you set the secondary directive to/home/configuration, both/home/configuration/templates/and/home/configureation/passwords are excluded from the security mode limit. Therefore, if you simply want to exclude a directory or a set of directories from being restricted by Safe mode settings, make sure that each directory includes the last slash.
Safe_mode_env_vars=string
When Safe mode is enabled, you can only use the secondary instruction to allow the execution of user's scripts to modify certain environment variables. You can allow multiple variables to be modified, separated by commas between each variable.
Safe_mode_exec_dir=string
Directives specify directories in which system programs can be executed through functions such as system (), exec (), or PassThru (). You must enable Safe mode for this purpose. This directive has a strange place in which all operating systems (including Windows) must use a slash (/) as a delimiter for the directory.
Safe_mode_protected_env_vars=string
This directive protects certain environment variables from being modified by the putenv () function. By default, the variable ld_library_path is protected, because modifying this variable at run time can result in unpredictable results. For more information on this environment variable, please refer to the search engine or Linux manual. Note that all that is declared in this session will overwrite the variables declared in the safe_mode_allowed_env_vars directive.

In addition, because security mode is enabled, the execution efficiency is slowed down by comparing whether the file owner and the file's performer is a person.

PHP security Mode