The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

May we have an option on WHM for safe mode

Discussion in 'General Discussion' started by Radio_Head, Jan 16, 2003.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Please Darkorb , may we have something to insert

    php_admin_value safe_mode 1

    only on some clients (something similar to the WHM shell page) ?
    (it should work also on subdomain)


    Pleaseeeeeeee !!!!!!
    (today a client (hacker) installed php myshell .. arghhh!!!)
     
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    It may not solve much, as any of the scripts that mimic shell access (not just php but also cgi, pl etc..) run commands as the webserver user ID and not the actual user.

    Just my thoughts.
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I solved in other way

    safe mode for all clients on /etc/php.ini

    If a client (good client :) ) will ask me php safe off
    I will add these lines on apache conf

    php_admin_value safe_mode 0
    php_admin_value open_basedir &/home/user:/tmp&

    After today I have understand that &Safe mode& is a must to have on a shared server .
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Actually that would work pretty good, less changes need to be done (hopefully) and things are a little more secure.
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:6154c35cec][i:6154c35cec]Originally posted by dgbaker[/i:6154c35cec]

    Actually that would work pretty good, less changes need to be done (hopefully) and things are a little more secure.[/quote:6154c35cec]

    Dgbaker , do you have seen the vulnerability on Agora ( I am talking about the command section) ?

    Is there any way to deactivate these perl functionality in a similar way of php safe mode ?

    Thanks
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    We are removing all shopping carts with the exception of OsCommerce.

    At least the commando in Agora runs as the user.

    commando.ok:
    Delete this file to remove (disable) the commando menu item.

    It will exist in any existing cart in the protected directory and it can be removed from
    /usr/local/cpanel/3rdparty/store/protected
     
  7. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:68db8d0641][i:68db8d0641]Originally posted by dgbaker[/i:68db8d0641]

    We are removing all shopping carts with the exception of OsCommerce.

    At least the commando in Agora runs as the user.

    commando.ok:
    Delete this file to remove (disable) the commando menu item.

    It will exist in any existing cart in the protected directory and it can be removed from
    /usr/local/cpanel/3rdparty/store/protected
    [/quote:68db8d0641]

    yes I know how to remove it from agora (just removed from time) however I am discussing that any client with perl experience could write something similar to the agora command or similar to the php myshell .

    Is there nothing to be safe from these kind of perl script ?
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    I can't think of anyway off hand. The only saving grace is that it would be ran as the user, but as we all know give an experienced programmer the time and they can get around almost anything.
     
  9. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    sorry again ..

    what I have to set on my php.ini on this line ?

    safe_mode_exec_dir =
     
  10. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    As far as I know that directive is only for PHP as a CGI.

    I think it serves the same purpose as open_basedir for CGI mode.

    It would be set to /home/user as well.

    Also note that if you enable dynamic module loading with the enable_dl directive, it's possible the safe_mode restrictions could be bypassed.
     
  11. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    In this case I have a problem .

    On my etc/php.ini I have set safe mode on , but
    when I make a php info , it still shows that
    safe mode is off ...

    Any idea ?
    (I restarted apache after editing php.ini , have i to do something else ?)
     
  12. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    ok I found the solution

    the php.ini used be cpanel is

    /usr/local/lib/php.ini

    and NOT

    /etc/php.ini
     
  13. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    Viva Lazio! ;)

    Did I say it right?
     
  14. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    360
    Likes Received:
    0
    Trophy Points:
    16
    No, Forza Juve anytime! ;)
     
  15. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:15f3e6d549][i:15f3e6d549]Originally posted by moronhead[/i:15f3e6d549]

    Viva Lazio! ;)

    Did I say it right?[/quote:15f3e6d549]

    right ;) :p
     
  16. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    270
    Likes Received:
    0
    Trophy Points:
    16
    How to know which users are using system functions

    I want to restrict the system() and the other functions executing system to only a few directories with safe_mode_exec_dir.

    How can I insert various directories in safe_mode_exec_dir?
    How can I know which users are using system functions in php to value their inclusion in safe_mode_exec_dir?

    Thanks!
     
Loading...

Share This Page