Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

[Matthew Caron <Matt.Caron () redlion net>]

On 08/12/2013 07:45 PM, coderaptor wrote:
> Just because you have an opinion does not make it more right than
> others. PHP sucks with 1300 functions (what programming language
> requires 1300 functions? The one that is designed poorly),

Or, one which has a very rich featureset which doesn't require folks to 
reinvent the wheel every time they want to read in a bitmap.

That said, PHP sucks for other reasons, most notably the inability to 
force variable predeclaration (ie perl's "use strict")*, but I wanted to 
specifically address your criticism of a language having "too many 
functions".

* Assuming this is still true. It was back in 2008 when I quit my web 
job and went back into firmware, and I haven't been doing much with PHP 
since, instead focusing on C and D on ARM and PPC, so this may have been 
remedied.

> that's a
> fact. And you aren't helping it suck less. I may be clueless about how
> the apache + php glue and php work, but I am now very sure that I
> won't use PHP. And will probably stick with my OpenBSD implementation
> of chrooted apache - apache is fit to be in a jail.

I don't see why you need to demonstrate that PHP sucks to justify this 
position. Compartmentalization is generally a good idea - feel free to 
practice more of it, as long as you can live with the limitations of 
doing so. There are also lightweight kernel-level virtualization 
approaches (linux containers (lxc), Solaris containers, and BSD jails 
(not to be confused with chroot jails)), which provide even better 
segregation than a mere chroot.

--
Matthew Caron, Software Build Engineer
Sixnet, a Red Lion business | www.sixnet.com
+1 (518) 877-5173 x138 office