PHP Safe Mode Always ON

[Raf007]

Hello Guys, I am having issue with PHP Safe Mode just after Plesk upgrade to 10.4.4.
PHP Safe mode it seems to be permanently ON even if php.ini or inside service plan settings are set to OFF
The same example is happing with Display Errors setting, They are set to OFF but it still showing as ON

It looks like there is something overwriting php settings.

I am not sure how I can fix that, any suggestions?

Regards
Raf

 

[Plesk_kidv]

Try creating a phpinfo.php file on the site to see where the php.ini file is being loaded from.

<?php
// Show all information, defaults to INFO_ALL
phpinfo();
?>

 

[Mark_Letford]

PHP-Info

Hello all,

I have the same problem. Here is some information from my phpinfo():


System Linux *****.com 2.6.18-14-fza-amd64 #1 SMP Mon Jan 5 17:36:46 UTC 2009 i686
Build Date Jul 1 2011 16:45:19
Server API Apache 2.0 Handler
Virtual Directory Support disabled
Configuration File (php.ini) Path /etc/php5/apache2
Loaded Configuration File /etc/php5/apache2/php.ini
Scan this dir for additional .ini files /etc/php5/apache2/conf.d
additional .ini files parsed /etc/php5/apache2/conf.d/curl.ini, /etc/php5/apache2/conf.d/gd.ini, /etc/php5/apache2/conf.d/imap.ini, /etc/php5/apache2/conf.d/ioncube-loader-5.2.ini, /etc/php5/apache2/conf.d/mysql.ini, /etc/php5/apache2/conf.d/mysqli.ini, /etc/php5/apache2/conf.d/pdo.ini, /etc/php5/apache2/conf.d/pdo_mysql.ini, /etc/php5/apache2/conf.d/pdo_sqlite.ini, /etc/php5/apache2/conf.d/sqlite.ini, /etc/php5/apache2/conf.d/xsl.ini
PHP API 20041225
PHP Extension 20060613
Zend Extension 220060519
Debug Build no
Thread Safety disabled
Zend Memory Manager enabled
IPv6 Support enabled
Registered PHP Streams zip, php, file, data, http, ftp, compress.bzip2, compress.zlib, https, ftps
Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, sslv2, tls
Registered Stream Filters string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, convert.iconv.*, bzip2.*, zlib.*

 

[Raf007]

Try creating a phpinfo.php file on the site to see where the php.ini file is being loaded from.

<?php
// Show all information, defaults to INFO_ALL
phpinfo();
?>

Hello, I've run PHP test from PLESK default page and this is what I've got :

PHP Version 5.2.17

System Windows NT ******** 6.1 build 7601
Build Date Jan 6 2011 17:26:08
Configure Command cscript /nologo configure.js "--enable-snapshot-build" "--enable-debug-pack" "--with-snapshot-template=d:\php-sdk\snap_5_2\vc6\x86\template" "--with-php-build=d:\php-sdk\snap_5_2\vc6\x86\php_build" "--with-pdo-oci=D:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8=D:\php-sdk\oracle\instantclient10\sdk,shared" "--without-pi3web"
Server API CGI/FastCGI
Virtual Directory Support enabled
Configuration File (php.ini) Path C:\Windows
Loaded Configuration File C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\php.ini
Scan this dir for additional .ini files (none)
additional .ini files parsed (none)
PHP API 20041225
PHP Extension 20060613
Zend Extension 220060519
Debug Build no
Thread Safety enabled
Zend Memory Manager enabled
IPv6 Support enabled
Registered PHP Streams php, file, data, http, ftp, compress.zlib, https, ftps, zip
Registered Stream Socket Transports tcp, udp, ssl, sslv3, sslv2, tls
Registered Stream Filters convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, zlib.*


Configuration

PHP Core
safe_mode Off Off
safe_mode_exec_dir no value no value
safe_mode_gid Off Off
safe_mode_include_dir no value no value

Let me know if you need more info,

Regards
Raf

 

[baumschule]

Same Problem here with Windows Webserver 2008 R2 SP1, Plesk 10.4.4 an PHP 5.2.17

If i change php.ini settings in my customers hosting-settings nothing changes
e.g. if i change register_globals to on phpinfo() still says register_globals = off
and the values in the registry "HKLM/Software/Wow6462Node/PHP/Per Directory Values/C/inetpub/vhosts/domain/" arent changing too.

the second problem i noticed:
if i manualy set register_globals to on in registry value
phpinfo() says lokal regsiter_globals = on but scripts wont work with global variables
its like register_globals is still off even tough phpinfo() says its on!


please answer quick!!!
my customers complain a lot about this!

 

[Raf007]

Hello baumschule, I am sorry to say but you wont get quick reply about it as I am waiting for the solution since Dec 6, 2011.

Regards

 

[baumschule]

i have restartet the server (sorry for didnt do this earlier)

now the behavior is:
if i change php hosting-setting in the customers web-backend
the registry values change too and the phpinfo() says register_globals = on

so far so good ...

but the php scripts act like register_globals is still off.

my example-script for testing

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Unbenanntes Dokument</title>
</head>

<body>

<?
echo "last post input: ".$testtext1."<br />";
echo "last get input: ".$testtext2."<br /><br />";
?>

<form action="test.php?testtext2=world" method="post">
<input type="text" name="testtext1" value="hello"/>
<input type="submit" value="submit" />
</form>
</body>
</html>

with register_globals = on the variables testtext1 and testtext2 should have content but they dont!!!
why isnt it working?? phpinfo() says: register_globals = on

 

[zebrafilm]

Me too have all kind of (not so)funny PHP behaviour....

Lets start with something written by Parallels in the upgrade notes:
Location of Website-Level PHP Settings in Panel for Windows

quote =====================

After you apply all the necessary modifications, you can view the modified php.ini for a certain website. The paths to the ini files are kept in the Windows registry, under HKEY_LOCAL_MACHINE\SOFTWARE\PHP\Per Directory Values. For example:

HKEY_LOCAL_MACHINE\SOFTWARE\PHP\Per Directory Values\C\Inetpub\vhosts\<DOMAIN NAME>\httpdocs

where <DOMAIN NAME> stands for a certain domain name.

end quote ====================

Not sure about you guys but I don't have a PHP folder in my registry....
I can change setting per site and they show backup in the control panel but don't get enforced in reality.

Hope we will get an update that fixes the issues soon. I like the idea but it should work on the first release....

 

[Notpleased]

Me too have all kind of (not so)funny PHP behaviour....

Lets start with something written by Parallels in the upgrade notes:
Location of Website-Level PHP Settings in Panel for Windows

quote =====================

After you apply all the necessary modifications, you can view the modified php.ini for a certain website. The paths to the ini files are kept in the Windows registry, under HKEY_LOCAL_MACHINE\SOFTWARE\PHP\Per Directory Values. For example:

HKEY_LOCAL_MACHINE\SOFTWARE\PHP\Per Directory Values\C\Inetpub\vhosts\<DOMAIN NAME>\httpdocs

where <DOMAIN NAME> stands for a certain domain name.

end quote ====================

Not sure about you guys but I don't have a PHP folder in my registry....
I can change setting per site and they show backup in the control panel but don't get enforced in reality.

Hope we will get an update that fixes the issues soon. I like the idea but it should work on the first release....

Assuming you are using 64bit OS, it should be located here:

hkey_local_machine\software\wow6432node\php

Makes no difference for me though. Even though it says 'off' in the registry it still behaves as though it is on.

Plesk is a complete mess. Very unhappy with this software and I am starting to look for a more reliable solution with better support.

 

[zebrafilm]

Thanks, that helped me to removes some item manually in the registry.
Not a real option for my clients though.....

It seems open_basedir is set automatically to local dir but with an ending slash, meaning no sub dirs will work.
Tried to remove it from the panel but no luck.

Thanks for the tip.

 

[IgorG]

Fixed in MU#11 - http://kb.parallels.com/en/113088

 

[baumschule]

Now i have MU#12 and my Problem still isnt solved!!!


change register_globals in Service Plan PHP settings is working!

and phpinfo() says register globals=on

but the php-script (see my example-script for testing) still behave like register_globals = off.

so im not able to run scripts which need register_globals=on

 

[LeonardChallis]

existing domains

This issue still seems to be present.

phpinfo() shows safe_mode is On for both global and local, when looking at an existing domain, even after updating (and syncing) PHP settings global and for the subscription.

When I create a new subscription with a different domain the phpinfo() output shows global On and local Off. safe_mode is off on that domain as I can do things (namely wordpress updates) that I couldn't do on the above mentioned domain.

Is there a way to fix the existing ones, so I don't have to do a lot of messing about backing everything up, moving it out, recreating the subscription, moving it back in, sorting out permissions again, etc?

Cheers

 

[Notpleased]

But Igor linked to the official document that says it is fixed so it must be true.

Thread was created on Dec. 5th. No official reply until more than one month later and all he can do is link to a document that says it is fixed when in fact it is not fixed for the people that it was broken for in the first place. It only fixes it for future applications.

FAIL !

 

[pantamedia]

open_basedir always filled, display settings always on

It seems that not only safe_mode is on and global variables are off.
On our installation:
- open_basedir is always set to the doc root (can only be set to no value by tinkering with the regeditor)
- display_errors is on if not specified in the registry or set to default value in panel php settings even though php.ini has display_errors = Off

These two seem harmless, untill you use a mechanism where you place a file outside the public accesible folder (one folder up) and only provide access to it through a custom authentication and readfile() and print() of the contents. Then open_basedir is a huge pain. Regardless of if this is safe or not, open_basedir should not be always set like this.

open_basedir is peanuts compared to the display_errors problem though. If you have set display_errors = on anywhere (php.ini, registry, script through ini_set) and phpinfo() shows the local value for display_settings = on still no error is printed if an error, warning, notice or whatever occurs. Instead, if you set the error_reporting level to show ANY error, warning, etc (-1) then we get a 500 internal server error instead of printing the error on screen. Now, this is the biggest problem because it forces me to set error_reporting to 0 since it will give a 500 error also when a strict or notice occurs and if you have set error_reporting in such a way that these get reported.

Also, I have specified one logfile so I can keep track of what is going on and the logfile never gets created with 10.4.4 although it did get created with 10.3 ... so, I get a 500 internal server error but can't resolve it because on screens it doesn't report what the problem is anymore and no logfile is created even though logging to a file is set to On.

We are running a dedicated server with Plesk Panel 10.4.4 update #13 by the way and these are all problems with domains that got migrated and have had their settings changed after the migration from 10.3. Domains where I have left the settings alone, errors if any occur are displayed on screen if I set display_errors to 1 in the script to debug (production system, so display_errors is set to off by default by me).

Anyone have ANY ideas how to resolve this for my exisiting domains, without redoing the domain because we ARE talking about a live system and I can't simply recreate the domain...

 

[pantamedia]

at least one huge problem solved

With the biggest and reddest face I have to and want to let you all in on my shameful mistake. The problem of the 500 internal error when display_errors is set to off, the error_reporting is set to a value that will actually provide you with some error messages and enable logging of errors but without any sign of a php logfile was caused by.... drum roll.... insufficient access rights to the folder where the logfile was to be created....... I have a sore head from banging my face against the table.

This does NOT however solve the problems of the default open_basedir or any lame default settings of the per_directory_value settings as mentioned by me and all you guys here...

Do I feel stupid ...

 

[mandi22]

I believe everyone having this problem is running a PHP v 5.2 and did not upgrade to 5.3. The problem is that in 10.4.4. you cannot upgrate PHP for some reason

 

[IgorG]

I believe everyone having this problem is running a PHP v 5.2 and did not upgrade to 5.3. The problem is that in 10.4.4. you cannot upgrate PHP for some reason

PHP5.3 is officially supported since MU#13 - http://kb.parallels.com/en/113187

 

[pantamedia]

I believe everyone having this problem is running a PHP v 5.2 and did not upgrade to 5.3. The problem is that in 10.4.4. you cannot upgrate PHP for some reason

Upgrading to 5.3 should not be the solution. There are circumstances where you can not use 5.3 and have to be able to use 5.2 ... or an even older version like 4.x (although that would be very very very bad practise). If 5.2 or an older is not able to use on the fly php settings, these settings should not be enforced or cause problems like they do now. But that is just my two cents.

 

[LeonardChallis]

Still can't modify PHP safe_mode

For existing domains, is there a way this can be fixed yet? Or am I going to have to recreate the entire domain one night?