.htaccess, php, secure issue

[kuwaitnt]

hello all

can i ask for help

i have server and provide share hosting

and i have set the php.ini to

safe_mode = on
global_registres = off
and disable some function (system,exec ...etc)

my question is :

1- can my client use .htaccess file to set safe_mode to off and globael_registres to on ??

2 - i have set safe_mode to off and global_registres to on for one site on vhost on httpd.conf
so it was work great but i use AWBS script (awbs.com) and when i run cron job i have this error massage

<br />
<b>Warning</b>: set_time_limit(): Cannot set time limit in safe mode in <b>/home/XXXXX/public_html/tools/master_cron.php</b> on line <b>3</b><br />

and as i say i have set safe_mode to off for this site so how can fix this issue ??

3 - i use mod_security can our client disabel it from .htaccess file ??

4 - how can i run my php compiler as CGI Mode ??

[kuwaitnt]

are there any one can help ??

[NT]

Hi,

Take a look here to see a list of what is configurable, and how you can configure them.

Hope that helps.

[kuwaitnt]

thanks NT but there are no useful thing on that page

[NT]

On the contrary - if it is PHP_INI_PERDIR or PHP_INI_ALL, then it can be set in htaccess.

All you need to do is find the directives you want to check, and if they match the constants above, you can set them through htaccess.

[NT]

To answer your questions:

Safe Mode can't be set in htaccess
Register Globals can be set in htaccess

Hope that helps

[bidouilleur]

True you can manipulate some settings via .htaccess but ...

You cannot manipulate the php.ini settings with .htaccess when running PHP as cgi/phpsuexec. If you are using .htaccess with php_value entries within it, you would receive an internal server 500 error when attempting to access the scripts. This is because PHP is no longer running as an Apache module and Apache will not handle those directives any longer. All PHP values should be removed from your .htaccess files to avoid this issue.

source

[kuwaitnt]

thanks all


but the importent question

are there any solution to fix this issue

<br />
<b>Warning</b>: set_time_limit(): Cannot set time limit in safe mode in <b>/home/XXXXX/public_html/tools/master_cron.php</b> on line <b>3</b><br />


?? and as i say i have set safe_mode on on httpd.conf for all web site only one web site i set to off

[Spiral]

1- can my client use .htaccess file to set safe_mode to off and globael_registres to on ??

If you do not have phpSuExec then the client cannot override safe_mode but
they will be able to enable register_globals. If you are using phpSuExec then
then client will be able to override both of these values which is one of the
reasons I'm not particularily keen on phpSuExec.

2 - i have set safe_mode to off and global_registres to on for one site on vhost on httpd.conf
so it was work great but i use AWBS script (awbs.com) and when i run cron job i have this error massage

<br />
<b>Warning</b>: set_time_limit(): Cannot set time limit in safe mode in <b>/home/XXXXX/public_html/tools/master_cron.php</b> on line <b>3</b><br />

and as i say i have set safe_mode to off for this site so how can fix this issue ??

Some commands like safe_mode, disable_functions, and a few others are ignored
when they are are put in httpd.conf or .htaccess files because those items would
be useless if they could be changed in those places because the client would
also have full access to change those values.

3 - i use mod_security can our client disabel it from .htaccess file ??

Unfortunately ... YES! And we are actually having a lot of problems with that right now
at our hosting service and have implemented a "you disable, you get deleted" policy.
Most of the users caught disabling mod_security are doing so to unblock disallowed
content and that is unacceptable.

[clook]

Unfortunately ... YES! And we are actually having a lot of problems with that right now
at our hosting service and have implemented a "you disable, you get deleted" policy.
Most of the users caught disabling mod_security are doing so to unblock disallowed
content and that is unacceptable.

See here: http://www.modsecurity.org/documenta...on.html#N1027D

You can compile mod_security with the -DDISABLE_HTACCESS_CONFIG flag which will prevent any users disabling or modifying your mod_security ruleset.

[kev888]

I'm curious how they'd first disable it, what command in HTACCESS and how you could scan for those users who did it?

[Secret Agent]

How do I enabled safe mode On for one client? I have register globals off and phpsuexec support enabled as well

[sumith]

How do I enabled safe mode On for one client? I have register globals off and phpsuexec support enabled as well

Put the php.ini under the home directory of that particular user and "turn on" safe mode in that php.ini file.

[joel69]

Hello. I have encountered the same problem. I have register_globals disabled in /etc/php.ini for security reasons, and phpSuExec enabled. Now comes along a customer who has php scripts that require register_globals to be enabled. So I copied /etc/php.ini to his home directory ( eg: /home/user1 ). I also copied it to /home/user1/etc, /home/user1/public_html, and /home/user1/public_html/includes ... I put a file called phpinfo.php (with the contents: <?php phpinfo(); ?> ). According to the output of that file, register_globals is still off. Apache has been restarted serveral times with both /scripts/restartsrv_apache and service httpd restart, but still I am seeing the same resutls. PHP is 5.0.5, created with /scripts/easyapache . The permsions on the php.ini file are 644, and the user and group of the php.ini file are set to the user who needs register_globals enabled.

This is DRIVING ME NUTS! In the past I have enabled register_globals for a single site using the same technique, and it worked. Does anybody have any idea why it would not work in this case?

[sleddog]

...So I copied /etc/php.ini to his home directory ( eg: /home/user1 )....

The php.ini must be place in the same directory as the PHP scripts. If you have scripts in multiple directories or subdirectories, a copy of php.ini must be place in each directory or subdirectory.