The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP suexec and security

Discussion in 'Security' started by barts, Aug 20, 2005.

  1. barts

    barts Member

    Joined:
    Sep 23, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I installed PHP suexec with PHP 4.4.0. I have safe_mode = On and disable some functions. I have it in my php.ini (/etc/php.ini). When my clients create file php.ini in their public_html directory then they can have safe_mode off and system() on. How can I disable to create php.ini or change settings to apache don't see their php.ini and use only /etc/php.ini.

    Can you help me?
     
  2. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I don't think you can prevent that with phpsuexec. Even if you chown/chmod the php.ini file to root, a customer can simply create a subdirectory and add their own php.ini and scripts there.
     
  3. barts

    barts Member

    Joined:
    Sep 23, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Also php suexec with safe_mode off and enable system() is secure? Is it more secure than php as module with safe_mode on and disable system() and open_basedir ?
     
  4. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Even with the module version of PHP you can turn safe mode off via a .htaccess file.

    It's a PHP problem that really should have been addressed a long time ago.

    So, to answer your question....
    It's safer to have phpsuexec than not. safe mode can be turned off no matter what you use.
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    This is not true.
     
  6. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    When I used php as a module and i needed safe mode off for one site I used a .htaccess file with the safe mode off directive. I must admit I haven't used php module for several years, maybe something has changed. Or maybe jamesbond doesn't realise you can turn safe mode off....
     
  7. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    http://www.php.net/manual/function.ini-set.php

    PHP_INI_USER 1 Entry can be set in user scripts
    PHP_INI_PERDIR 2 Entry can be set in php.ini, .htaccess or httpd.conf
    PHP_INI_SYSTEM 4 Entry can be set in php.ini or httpd.conf
    PHP_INI_ALL 7 Entry can be set anywhere
     
  8. barts

    barts Member

    Joined:
    Sep 23, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I installed PHP5 on my server (PHP suexec). I created file php.ini in my home directory and php4 uses this php.ini as config but php5 doesn't use it. Why? Maybe php.ini in php5 must have other name? (ex. php5.ini?).
     
Loading...

Share This Page