• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

safe_mode off by default?

A

ad7742

Guest
Hi

Can anyone let me know if their server has safe_mode off by default? My last installs have done and it's really insecure...

I'm using RedHat Enterprise Linux 3 (fully patched) and Plesk 7.5 Reloaded (fully patched).

My php.ini file is set to have safe_mode off, and also it's also set to off in the main Plesk httpd.include file (i.e. the one in /etc/httpd/conf/). I just wanted to see if it's something I'm doing wrong during the install (which I'm pretty certain isn't the case...) or if it's default - i.e. does everyone else have this?

For your info, having safe_mode off essentially gives any client SSH access to the web server, logged in as Apache. I was recently introduced to a php script that does this.

For security reasons, I'm not going to post any more info on the php script here.

I was shown the script by a client (of all people...) who thankfully didn't realise how powerful the login was - he was just showing me that it let him browse any folder on the server. However, I did a test and successfully compiled a "helloWorld.c" C program using gcc. It ran as the user "apache"; therefore any files (including the httpd config files) could be edited by this login. Basically, any client could really break the server.

Any feedback would be appreciated.

Regards

Andy
 
The status of PHP Safe Mode is really determined by the OS and what version you have and what you may do during / after the installation. Historically, PHP would install with safe_mode Off and register_globals On but neither is a safe setting.

On all new servers, the first thing I do is turn safe_mode On, register_globals Off and allow_url_fopen Off. Then the site code has to be written to run under those settings. If my some chance I have to support a PHP application that requires register_globals On or safe_mode Off, I do this in the context of that domain in a vhost.conf file.
 
This is exactly what I am trying to do right now.

Only prob is that I dont know how the vhost.conf should look like for this matter.

Could some1 please post a vhost.conf for just changing php safe mode to off and globals on
?
this would be great.

tia
herby
 
I would be happy too if someone could explain how to do this with Plesk on the server. Will the vhost settings be overwritten / what is the best thing to do?
 
Change your /etc/php.ini file to globally set Safe_mode, then for domain by domain settings, use:

Sample vhost.conf (non-SSL)

<Directory /home/httpd/vhosts/domain.com/httpdocs>
php_admin_value safe_mode 0
/home/httpd/vhosts/domain.com/httpdocs:/tmp:/usr/share/pear
php_admin_value register_globals on
</Directory>

safe_mode value can be either 0 or 1

If you needed open_basedir, then add:
php_admin_value open_basedir

And every RH9/Plesk install I have ever done, the default php setting is safe_mode off.
 
You must log in or register to reply here.

Similar threads

P
Question What would happen if I turned off/removed SMTP entirely in Plesk?
Replies
5
Views
1K
Paul Larson
P
S
Issue Problems with Plesk
Replies
5
Views
1K
Peter Debik
P
Z
Question Woocommerce, Redis, PHP Settings - Newbie questions
Replies
5
Views
690
Zakky
Z
pr0tax
Question Stop SSH Port Scanning
Replies
0
Views
830
pr0tax
pr0tax
M
Resolved transvhosts.pl fails to update apache default DocumentRoot
Replies
16
Views
2K
Peter Debik
P
Back
Top