1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

HOWTO safe_mode

Discussion in 'Plesk for Linux - 8.x and Older' started by plugged, Aug 29, 2007.

  1. plugged

    plugged Guest

    0
     
    What is the best way to use safe_mode?

    When i turn safe_mode on, some applications won't work anymore, for example Joomla.

    I've looked at the rights and it is because some files has as owner apache.apache.

    Even with safe_mode_gid on, it doesn't work. It seems that i can only access files with owner and/or group <ftp-user>.psacln

    What's the best way to fix this problem? perhaps give httpd psacln as group, that files will be with ownership apache.psacln, then the group is the same and perhaps then it will work.

    A better solution would be that the httpd will have the same user and group as the hosting. For example: Assume i have a website at /home/httpd/vhosts/domain.nl and through ftp the files get the ownership as domain.psacln. Then it would be perfect that all files created through apache would also get the ownership as domain.psacln, or domain.apache ...

    Has anyone got experience with this problem, or a working solution?
     
  2. plugged

    plugged Guest

    0
     
    Has nobody got a solution for me?
     
  3. Daniel15

    Daniel15 Guest

    0
     
    safe_mode is a broken security system, and I would advise against using it. It breaks quite a few scripts, and in reality does not have any benefits over "normal" PHP. It's being removed in PHP 6 due to this.

    Instead, you're better off implementing "proper" security measures. Add things like exec, shell_exec, and system to the disable_functions setting. Install Suhosin (search for it in Google). There's a few other things you can do, but I don't have time to write them here at the moment... If you need any further help, please feel free to ask :)
     
  4. plugged

    plugged Guest

    0
     
    Damn, i feel like an amature now :( :eek:

    I've added those things like exec, shell_exec, and system to the disable_functions settings. And i'm google on more of those settings.

    I have to test on a test machine first for Suhosin before installing on my server. It's FC2 now, but am planning to switch to CentOS 5.

    edit:
    Ok, i've found many options, this is what i've found:
    disable_functions = chgrp, curl_exec, dl, escapeshellarg, escapeshellcmd, exec, ini_alter, leak, listen, parse_ini_file, passthru, pcntl_exec, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, system
     
  5. Daniel15

    Daniel15 Guest

    0
     
    Haha, don't worry about it. ;)
    I'm a PHP coder and also run my own server (as well as doing maintenance work for a web host), so I learnt most of this from experience. ;)

    I'd add proc_close, pfsockopen, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_six_setuid, error_log, openlog, syslog, readlink, symlink, link and pcntl_exec to that list :)

    If you compile PHP yourself, you may use the Suhosin PHP patch, which adds several security features to the PHP core. However, most of its features are in the Suhosin extension, which is compiled separately and then installed. Instructions on how to do this are on the hardened-php.net site :)
     
  6. plugged

    plugged Guest

    0
     
    You're right about that! I'm also a
    PHP coder and starting a Unix certification course.

    I noticed that I had to get rid of popen, because else webmail ain't working!!!
    see http://forum.swsoft.com/showthread.php?s=&threadid=45785
    I had te remove more from my disabled_functions, because though I ain't see any error messages, the send mail is not deliverd at the receipients.

    Can somebody tell me what to allow and what to disable???
     
  7. plugged

    plugged Guest

    0
     
    This is what I've got now, and works:
    disable_functions = curl_exec, exec, ini_alter, parse_ini_file, passthru, shell_exec, pfsockopen, proc_close, proc_get_status, posix_six_setuid, posix_setsid, posix_setpgid, posix_kill, system, proc_nice, proc_open, proc_terminate

    This is what I had, and didn't worked:
    disable_functions = chgrp, curl_exec, dl, escapeshellarg, escapeshellcmd, exec, ini_alter, leak, listen, parse_ini_file, passthru, pcntl_exec, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, system

    Those I've removed:
    1. chgrp
    2. dl
    3. escapeshellarg
    4. escapeshellcmd
    5. leak
    6. listen
    7. popen
    8. pcntl_exec
      [/list=1]

      And these I've added:
      1. posix_kill
      2. posix_setpgid
      3. posix_setsid
      4. posix_six_setuid
        [/list=1]

        I've played arround a little, and noticed that the server isn't sending mail from webmail when escapeshellarg and escapeshellcmd are in disable_functions !!!!

        Adding popen to disable_functions gives the following error:
     
Loading...