The reason that PHP is often put into Safe Mode in multi-host webservers is because PHP is often embedded into the web server (it doesn't have to be, as PHP scripts can be run in a CGI environment, but it usually is). This means that all PHP scripts run with the permission that the web server runs as. So your PHP scripts then have the ability to do anything that your webserver has permission to do. And since all PHP scripts across all the websites run as the same user, you would have the ability to change any files that were writable by the webserver, and to read any code that other users have put on their websites (ie to look for database passwords and such in other PHP programs).

In a shared environment, perl is usually only available through CGI programs. Most webserver allow you to run CGI scripts as a different user for every website. In apache this is done through the suexec module (I don't know IIS so you will have to look that up). Since in this case all scripts run as their own user, they can only read and change files that they have permissions for. This makes it much more secure. Perl can also be run as part of the webserver using mod_perl, and in that case it suffers from the same security concerns that PHP does.

Of course if you let a user execute a program on your server, they can look at any world-readable file on the system and write to any world writable file, so you will need to make sure that your system is sufficiently secured (again on Windows I am not sure how to help you, and that is a topic beyond this forum regardless). Also, your users will be able to do nasty things like run programs that suck up all your CPU (either malisciously, or through silly programming errors), or they could fill up your disk with junk bringing your server to it's knees. There are many ways to protect yourself against these things that you should probably look into.

Also, you should know that this isn't a specific problem with Perl. Any programming language will suffer from these issues, unless you run them in some sort of a sandbox where the user is limited in what they can see and/or do.

- Cees

In reply to Re: Installing and securing server by cees
in thread Installing and securing server by nms

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.