Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

May we have an option on WHM for safe mode

Discussion in 'General Discussion' started by Radio_Head, Jan 16, 2003.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    343
    Please Darkorb , may we have something to insert

    php_admin_value safe_mode 1

    only on some clients (something similar to the WHM shell page) ?
    (it should work also on subdomain)


    Pleaseeeeeeee !!!!!!
    (today a client (hacker) installed php myshell .. arghhh!!!)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    It may not solve much, as any of the scripts that mimic shell access (not just php but also cgi, pl etc..) run commands as the webserver user ID and not the actual user.

    Just my thoughts.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    343
    I solved in other way

    safe mode for all clients on /etc/php.ini

    If a client (good client :) ) will ask me php safe off
    I will add these lines on apache conf

    php_admin_value safe_mode 0
    php_admin_value open_basedir &/home/user:/tmp&

    After today I have understand that &Safe mode& is a must to have on a shared server .
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Actually that would work pretty good, less changes need to be done (hopefully) and things are a little more secure.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    343
    [quote:6154c35cec][i:6154c35cec]Originally posted by dgbaker[/i:6154c35cec]

    Actually that would work pretty good, less changes need to be done (hopefully) and things are a little more secure.[/quote:6154c35cec]

    Dgbaker , do you have seen the vulnerability on Agora ( I am talking about the command section) ?

    Is there any way to deactivate these perl functionality in a similar way of php safe mode ?

    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    We are removing all shopping carts with the exception of OsCommerce.

    At least the commando in Agora runs as the user.

    commando.ok:
    Delete this file to remove (disable) the commando menu item.

    It will exist in any existing cart in the protected directory and it can be removed from
    /usr/local/cpanel/3rdparty/store/protected
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    343
    [quote:68db8d0641][i:68db8d0641]Originally posted by dgbaker[/i:68db8d0641]

    We are removing all shopping carts with the exception of OsCommerce.

    At least the commando in Agora runs as the user.

    commando.ok:
    Delete this file to remove (disable) the commando menu item.

    It will exist in any existing cart in the protected directory and it can be removed from
    /usr/local/cpanel/3rdparty/store/protected
    [/quote:68db8d0641]

    yes I know how to remove it from agora (just removed from time) however I am discussing that any client with perl experience could write something similar to the agora command or similar to the php myshell .

    Is there nothing to be safe from these kind of perl script ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    I can't think of anyway off hand. The only saving grace is that it would be ran as the user, but as we all know give an experienced programmer the time and they can get around almost anything.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    343
    sorry again ..

    what I have to set on my php.ini on this line ?

    safe_mode_exec_dir =
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    As far as I know that directive is only for PHP as a CGI.

    I think it serves the same purpose as open_basedir for CGI mode.

    It would be set to /home/user as well.

    Also note that if you enable dynamic module loading with the enable_dl directive, it's possible the safe_mode restrictions could be bypassed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    343
    In this case I have a problem .

    On my etc/php.ini I have set safe mode on , but
    when I make a php info , it still shows that
    safe mode is off ...

    Any idea ?
    (I restarted apache after editing php.ini , have i to do something else ?)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    343
    ok I found the solution

    the php.ini used be cpanel is

    /usr/local/lib/php.ini

    and NOT

    /etc/php.ini
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    316
    Viva Lazio! ;)

    Did I say it right?
     
  14. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    318
    No, Forza Juve anytime! ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    343
    [quote:15f3e6d549][i:15f3e6d549]Originally posted by moronhead[/i:15f3e6d549]

    Viva Lazio! ;)

    Did I say it right?[/quote:15f3e6d549]

    right ;) :p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    274
    Likes Received:
    2
    Trophy Points:
    316
    How to know which users are using system functions

    I want to restrict the system() and the other functions executing system to only a few directories with safe_mode_exec_dir.

    How can I insert various directories in safe_mode_exec_dir?
    How can I know which users are using system functions in php to value their inclusion in safe_mode_exec_dir?

    Thanks!
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice