I´ve always onfigured safe_mode as on with all webhosting servers. Now, I will start using SWSOFT´s Sitebuilder along with PLESK 8.2 which requires safe_mode to be sat to off.

Question is, what are the alternatives to safemode to keep the server from beeing hacked. Using ASL as well, but I do not think that it compensates for safe_mode?

Any suggestiongs would be welcome. Thanks.

I'd just set the global safe_mode setting (in /etc/php.ini) to On and disable safe_mode on domains that don't function under safe_mode.

Thanks breun. That limits the nuber of domains that can be used for an exploit, but the problem is still there.

safe_mode is no guarantee against exploits. In fact, I believe safe_mode will be removed in PHP 6 as it gives a false sense of security. That doesn't mean it is completely useless though, it will stop some bad thing from happening. On the other hand, it also perfectly possible to have exploitable code run under safe_mode.

I'm pretty sure you cannot audit all code that will run on your server and in fact you will never be sure code cannot be exploited. I think using security tools like ASL provides and having a usable safe_mode policy is in most cases all you can practically do.

Its all about security in depth.