HOWTO safe_mode

[plugged]

What is the best way to use safe_mode?

When i turn safe_mode on, some applications won't work anymore, for example Joomla.

I've looked at the rights and it is because some files has as owner apache.apache.

Even with safe_mode_gid on, it doesn't work. It seems that i can only access files with owner and/or group <ftp-user>.psacln

What's the best way to fix this problem? perhaps give httpd psacln as group, that files will be with ownership apache.psacln, then the group is the same and perhaps then it will work.

A better solution would be that the httpd will have the same user and group as the hosting. For example: Assume i have a website at /home/httpd/vhosts/domain.nl and through ftp the files get the ownership as domain.psacln. Then it would be perfect that all files created through apache would also get the ownership as domain.psacln, or domain.apache ...

Has anyone got experience with this problem, or a working solution?

 

[plugged]

Has nobody got a solution for me?

 

[Daniel15]

safe_mode is a broken security system, and I would advise against using it. It breaks quite a few scripts, and in reality does not have any benefits over "normal" PHP. It's being removed in PHP 6 due to this.

Instead, you're better off implementing "proper" security measures. Add things like exec, shell_exec, and system to the disable_functions setting. Install Suhosin (search for it in Google). There's a few other things you can do, but I don't have time to write them here at the moment... If you need any further help, please feel free to ask

 

[plugged]

Damn, i feel like an amature now

I've added those things like exec, shell_exec, and system to the disable_functions settings. And i'm google on more of those settings.

I have to test on a test machine first for Suhosin before installing on my server. It's FC2 now, but am planning to switch to CentOS 5.

edit:
Ok, i've found many options, this is what i've found:
disable_functions = chgrp, curl_exec, dl, escapeshellarg, escapeshellcmd, exec, ini_alter, leak, listen, parse_ini_file, passthru, pcntl_exec, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, system

 

[Daniel15]

Damn, i feel like an amature now

Haha, don't worry about it.
I'm a PHP coder and also run my own server (as well as doing maintenance work for a web host), so I learnt most of this from experience.

I've added those things like exec, shell_exec, and system to the disable_functions settings. And i'm google on more of those settings.

I have to test on a test machine first for Suhosin before installing on my server. It's FC2 now, but am planning to switch to CentOS 5.

edit:
Ok, i've found many options, this is what i've found:
disable_functions = chgrp, curl_exec, dl, escapeshellarg, escapeshellcmd, exec, ini_alter, leak, listen, parse_ini_file, passthru, pcntl_exec, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, system

I'd add proc_close, pfsockopen, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_six_setuid, error_log, openlog, syslog, readlink, symlink, link and pcntl_exec to that list

If you compile PHP yourself, you may use the Suhosin PHP patch, which adds several security features to the PHP core. However, most of its features are in the Suhosin extension, which is compiled separately and then installed. Instructions on how to do this are on the hardened-php.net site

 

[plugged]

Originally posted by Daniel15
Haha, don't worry about it.
I'm a PHP coder and also run my own server (as well as doing maintenance work for a web host), so I learnt most of this from experience.

You're right about that! I'm also a
PHP coder and starting a Unix certification course.

I'd add proc_close, pfsockopen, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_six_setuid, error_log, openlog, syslog, readlink, symlink, link and pcntl_exec to that list

If you compile PHP yourself, you may use the Suhosin PHP patch, which adds several security features to the PHP core. However, most of its features are in the Suhosin extension, which is compiled separately and then installed. Instructions on how to do this are on the hardened-php.net site

I noticed that I had to get rid of popen, because else webmail ain't working!!!
see http://forum.swsoft.com/showthread.php?s=&threadid=45785

Originally posted by Valentin
Hello,

in my php config the function popen() (http://de.php.net/popen) was disabled in php.ini - removing the popen from disabled_functions solved the problem!

(using FC4)

I had te remove more from my disabled_functions, because though I ain't see any error messages, the send mail is not deliverd at the receipients.

Can somebody tell me what to allow and what to disable???

 

[plugged]

This is what I've got now, and works:
disable_functions = curl_exec, exec, ini_alter, parse_ini_file, passthru, shell_exec, pfsockopen, proc_close, proc_get_status, posix_six_setuid, posix_setsid, posix_setpgid, posix_kill, system, proc_nice, proc_open, proc_terminate

This is what I had, and didn't worked:
disable_functions = chgrp, curl_exec, dl, escapeshellarg, escapeshellcmd, exec, ini_alter, leak, listen, parse_ini_file, passthru, pcntl_exec, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, system

Those I've removed:

1. chgrp
2. dl
3. escapeshellarg
4. escapeshellcmd
5. leak
6. listen
7. popen
8. pcntl_exec
   [/list=1]
   
   And these I've added:
   1. posix_kill
   2. posix_setpgid
   3. posix_setsid
   4. posix_six_setuid
      [/list=1]
      
      I've played arround a little, and noticed that the server isn't sending mail from webmail when escapeshellarg and escapeshellcmd are in disable_functions !!!!
      
      Adding popen to disable_functions gives the following error:
      

      There was an error sending your message: Failed to open sendmail [/var/qmail/bin/sendmail] for execution.