1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

safe_mode off by default?

Discussion in 'Plesk for Linux - 8.x and Older' started by ad7742, Apr 6, 2005.

  1. ad7742

    ad7742 Guest


    Can anyone let me know if their server has safe_mode off by default? My last installs have done and it's really insecure...

    I'm using RedHat Enterprise Linux 3 (fully patched) and Plesk 7.5 Reloaded (fully patched).

    My php.ini file is set to have safe_mode off, and also it's also set to off in the main Plesk httpd.include file (i.e. the one in /etc/httpd/conf/). I just wanted to see if it's something I'm doing wrong during the install (which I'm pretty certain isn't the case...) or if it's default - i.e. does everyone else have this?

    For your info, having safe_mode off essentially gives any client SSH access to the web server, logged in as Apache. I was recently introduced to a php script that does this.

    For security reasons, I'm not going to post any more info on the php script here.

    I was shown the script by a client (of all people...) who thankfully didn't realise how powerful the login was - he was just showing me that it let him browse any folder on the server. However, I did a test and successfully compiled a "helloWorld.c" C program using gcc. It ran as the user "apache"; therefore any files (including the httpd config files) could be edited by this login. Basically, any client could really break the server.

    Any feedback would be appreciated.


  2. jimroe

    jimroe Guest

    The status of PHP Safe Mode is really determined by the OS and what version you have and what you may do during / after the installation. Historically, PHP would install with safe_mode Off and register_globals On but neither is a safe setting.

    On all new servers, the first thing I do is turn safe_mode On, register_globals Off and allow_url_fopen Off. Then the site code has to be written to run under those settings. If my some chance I have to support a PHP application that requires register_globals On or safe_mode Off, I do this in the context of that domain in a vhost.conf file.
  3. Herby

    Herby Guest

    This is exactly what I am trying to do right now.

    Only prob is that I dont know how the vhost.conf should look like for this matter.

    Could some1 please post a vhost.conf for just changing php safe mode to off and globals on
    this would be great.

  4. manarak

    manarak Guest

    I would be happy too if someone could explain how to do this with Plesk on the server. Will the vhost settings be overwritten / what is the best thing to do?
  5. jamesyeeoc

    jamesyeeoc Guest

    Change your /etc/php.ini file to globally set Safe_mode, then for domain by domain settings, use:

    Sample vhost.conf (non-SSL)

    <Directory /home/httpd/vhosts/domain.com/httpdocs>
    php_admin_value safe_mode 0
    php_admin_value register_globals on

    safe_mode value can be either 0 or 1

    If you needed open_basedir, then add:
    php_admin_value open_basedir

    And every RH9/Plesk install I have ever done, the default php setting is safe_mode off.