phpsuexec and safe mode

[Radio_Head]

It seems that phpsuexec works with php safe mode , however
it no more accepts the line

php_admin_value safe_mode 0

on httpd.conf to set php safe mode off on a particular account .
(if you have php_admin_value safe_mode 0 or php_admin_value safe_mode off on your httpd.conf apache fails)


Am I right ?

[Radio_Head]

Originally posted by thaphantom
phpSuExec doesnt work I would not suggest running it. It is more of a figure head of it working than it actually does.

I agree

[Radio_Head]

Originally posted by thaphantom
wow I was tired, I ment to say safe_mode doesnt work
phpSuExec works great

Do you want say that safe_mode AND phpsuxec don't work togheter , or you want simply say that safe_mode is not good ?

[Radio_Head]

Originally posted by thaphantom
#1 they dont work together
#2 safe_mode isnt good, it doesnt work well and what it is intended for just doesnt seem to work right

Why safe mode is not good ? phpsuexec will permit you to track users using php scripts , but will not permit you to know if a user is using php filesystem commands outside their /home/user dir .

I use safe mode on my boxes and it works great . I had only 1 problem with osEcommerce but it was fixed creating a script that store the session ids on mysql avoiding any error due to php safe mode . "Works great" means that I am safe from the execution
of php dangerous php filesystem commands ; and safe mode works bettern than the php_admin_value open_basedir .
When a client ask me for php safe mode off , I place these lines on httpd.conf

php_admin_value safe_mode 0
php_admin_value open_basedir "/home/user:/tmp"

These lines deactivate safe mode for that specific account :
regarding php security I still have the open_basedir in action.

phpsuexec seems to be a great idea (such as suexec) , because it permits me not only to refuse the nobody mail , but also to check who is executing a php script (tos /ps ..) .

However also php safe mode is a must to have for the php security reasons I explained above.

At this time seems that php safe_mode and phpsuexec cannot work at the same time . To be more exact , the line
php_admin_value safe_mode 0/1 is no more accepted
on apache httpd.conf and it limits the possibility to turn
off safe_mode for some account .

[Radio_Head]

Originally posted by thaphantom
right safe_mode doesnt seem to work with phpsuexec correctly
"I am safe from the execution of php dangerous php filesystem commands"
May peopel I have talked to say that is what it is intended to do, but it doesnt work well, a good prorgrammer can still get around it. I myself am not able to comment directly on this as I do not know, I have never used it, this is just what I have heard.

I know that it's easy to get around "php_admin_value open_basedir" (I was able to do that me too) , but it's the first time I hear you can get around php safe mode .

I think the only way to get around to php safe mode is to use perl . Yes with perl you can use something similar to the
php filesystem functions , and there is nothing to avoid this
and with cgi suExec you know who is using a perl script but you don't know WHAT he is doing with that script .

While php was developed putting attention to shared servers too (safe_mode and open base dir) , perl has nothing similar to reduce security problems on a shared server.

[vishal]

Hello,

Sorry for the Interruption!!!!

I have the same problem with mail() function not working with php. I have upgraded my whm and i am on WHM 6.2.0,
Cpanel 6.2.0-S56,RedHat 7.3.

I enabled the "Prevent Nobody from sending mails" from Twek settings and even Disabled it. Before upgarde and after the upgrade but still my mail() function is not working for sending mails out.

My question is where is this phpsuexec located? I have suexec enabled. Do i need to install it from somewhere?

Can u pls put me on the correct path.

Regards,

[silversurfer]

Run /scripts/easyapache
and install it with suexec enabled. That will fix that problem. Either that or switch off that function

[rnh]

Originally posted by Radio_Head
When a client ask me for php safe mode off , I place these lines on httpd.conf

php_admin_value safe_mode 0
php_admin_value open_basedir "/home/user:/tmp"

Radio_Head,

Sorry to bother you about this but I am curious exactly where you put this in Cpanel.

Would we put it in http.conf in the following section for the site we're disabling safe mode for?

<VirtualHost xx.xx.xx.xx>
ServerAlias www.domain.com domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /sites/user/public_html
User user
Group user
ServerName www.domain.com
CustomLog domlogs/domain.com combined
ScriptAlias /cgi-bin/ /sites/user/public_html/cgi-bin/
</VirtualHost>

So that it looked like this?

<VirtualHost xx.xx.xx.xx>
ServerAlias www.domain.com domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /sites/user/public_html
User user
Group user
ServerName www.domain.com
CustomLog domlogs/domain.com combined
ScriptAlias /cgi-bin/ /sites/user/public_html/cgi-bin/
php_admin_flag safe_mode off
php_admin_value open_basedir "/sites/user:/tmp"
</VirtualHost>

In Ensim all that we had to do was create a file in /etc/httpd/conf/site#/

with those values and Apache processed all the files in that directory on it's startup.

[rnh]

well, to answer my own question, yes.

[Radio_Head]

Originally posted by rnh
Radio_Head,

Sorry to bother you about this but I am curious exactly where you put this in Cpanel.

Would we put it in http.conf in the following section for the site we're disabling safe mode for?

<VirtualHost xx.xx.xx.xx>
ServerAlias www.domain.com domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /sites/user/public_html
User user
Group user
ServerName www.domain.com
CustomLog domlogs/domain.com combined
ScriptAlias /cgi-bin/ /sites/user/public_html/cgi-bin/
</VirtualHost>

So that it looked like this?

<VirtualHost xx.xx.xx.xx>
ServerAlias www.domain.com domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /sites/user/public_html
User user
Group user
ServerName www.domain.com
CustomLog domlogs/domain.com combined
ScriptAlias /cgi-bin/ /sites/user/public_html/cgi-bin/
php_admin_flag safe_mode off
php_admin_value open_basedir "/sites/user:/tmp"
</VirtualHost>

In Ensim all that we had to do was create a file in /etc/httpd/conf/site#/

with those values and Apache processed all the files in that directory on it's startup.

yes you are right on
<VirtualHost xx.xx.xx.xx>

However , put attention , open_basedir has not the safe
security of safe mode .

[rnh]

how do you get around the problems with horde webmail with safemode on globally? Or do you turn it off globally and turn it on on a site by site basis?

Does Cpanel allow us to edit the template for the <VirtualHost xxx.xxx.xxx.xxx> entries that it puts into httpd.conf?

And can we remove the links to horde webmail and neomail and change the link there globally or do we have to do it individually for each skin we install?

I'm not too worried about the security of safe mode since I'm not hosting people that I don't know, just sharing my server with some people that I know and open_base_dir seems to have a few problems but not as many as we run into with safe mode so I've had better luck turning it off for them as there's too many PHP scripts out there that need safe mode turned off.

thanks!

[goodmove]

Originally posted by Radio_Head
I know that it's easy to get around "php_admin_value open_basedir" (I was able to do that me too) , but it's the first time I hear you can get around php safe mode .

I think the only way to get around to php safe mode is to use perl . Yes with perl you can use something similar to the php filesystem functions , and there is nothing to avoid this
and with cgi suExec you know who is using a perl script but you don't know WHAT he is doing with that script .

What are the effects of using BOTH safe_mode AND open_basedir? I have tried this on modernbill and it seems to have no negative results. Will one cancel the effects of the other? Or will they work together for even more protection?

[Radio_Head]

Originally posted by goodmove
What are the effects of using BOTH safe_mode AND open_basedir? I have tried this on modernbill and it seems to have no negative results. Will one cancel the effects of the other? Or will they work together for even more protection?

If you have safemode on I cannot see a single reason to use
also open_basedir .

If you have safemode on and if you disable safemode on for 1 user (or more) it's a good idea to use open_basedir for users which have safemode off .


Bye

cPanel.net Support Ticket Number:

[goodmove]

Originally posted by Radio_Head
If you have safemode on I cannot see a single reason to use
also open_basedir.

There may be ONE reason and I sent you a PM about this for you to evaluate.

[Tim Greer]

I don't know what people are talking about saying that you have less control with Perl. If you run mod_perl, it has the same problems as mod_php. If you run suexecphp, then PHP is just going to run as CGI. This is nothing new, this patch has been out forever, Cpanel just uses it (they didn't create it). Look for yourself at: http://www.localhost.nl/patches/.

Either perl and/or PHP running as CGI with SuEXEC, will allow you to set the permissions on the user's parent directories and disallow any other users from snooping around. Perl as CGI allows you more control in regards to limiting the resources each virtual host can use in regards to memory, CPU, process time and how many processes can be used per Vhost at any given time in total. Finally, it will allow you to track spam and various other processes (no more trying to track down who installed or ran a 'nobody' owned process--though I recommend you disable exec and suid (among other things, such as dev, etc.) in /tmp and mount it separately).

Thus, mod_{php,perl} are the problem, not CGI or anything that runs in the CGI environment--yet CGI is slower; hence the overall problem and the toss up on which is a better method. However, consider this; In a shared server environment, any site that really would benefit from the fact that mod_* has less overhead than CGI and it's a well coded, efficient script, will be the type that should be limited anyway, rather than risking them taking down your server.

After all, bad code, is bad code--be it PHP or Perl, in mod_perl or mod_php format, or CGI. At least you have better over all control with CGI, better security, better tracking and so on. The problem is the overhead with CGI, but again, a well coded script won't really suffer from those problems and it's only the overhead that will add up with a lot of hits on a script--but then you can at least control and limit how much resources that will consume in total and prevent crashes as well.

The overall solution is Apache 2.x w/ the MPM module, but this isn't a perfect solution yet--once it is, you can run modules in per vhost limits and have the processes embedded in the httpd process still, but without being CGI. I impatiently await that day (and no, I have no interest in developing such a thing (like others are trying to do currently), since it's already being in MPM, no one's accomplished it yet and it's buggy, and by the time they are perfected, if ever, it will be obsolete 1.x source code and Apache 2.x and MPM will have the same thing that you'd have to migrate to anyway). That, in a nutshell, is the issue. I recommend the above solution, but you may disagree with the logic (though I don't know why).

cPanel.net Support Ticket Number: