The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpsuexec and safe mode

Discussion in 'General Discussion' started by Radio_Head, Apr 1, 2003.

  1. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    It seems that phpsuexec works with php safe mode , however
    it no more accepts the line

    php_admin_value safe_mode 0

    on httpd.conf to set php safe mode off on a particular account .
    (if you have php_admin_value safe_mode 0 or php_admin_value safe_mode off on your httpd.conf apache fails)


    Am I right ?
     
  2. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I agree ;)
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    ;) Do you want say that safe_mode AND phpsuxec don't work togheter , or you want simply say that safe_mode is not good ?
     
    #3 Radio_Head, Apr 2, 2003
    Last edited: Apr 2, 2003
  4. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38

    Why safe mode is not good ? phpsuexec will permit you to track users using php scripts , but will not permit you to know if a user is using php filesystem commands outside their /home/user dir .

    I use safe mode on my boxes and it works great . I had only 1 problem with osEcommerce but it was fixed creating a script that store the session ids on mysql avoiding any error due to php safe mode . "Works great" means that I am safe from the execution
    of php dangerous php filesystem commands ; and safe mode works bettern than the php_admin_value open_basedir .
    When a client ask me for php safe mode off , I place these lines on httpd.conf

    php_admin_value safe_mode 0
    php_admin_value open_basedir "/home/user:/tmp"

    These lines deactivate safe mode for that specific account :
    regarding php security I still have the open_basedir in action.

    phpsuexec seems to be a great idea (such as suexec) , because it permits me not only to refuse the nobody mail , but also to check who is executing a php script (tos /ps ..) .

    However also php safe mode is a must to have for the php security reasons I explained above.

    At this time seems that php safe_mode and phpsuexec cannot work at the same time . To be more exact , the line
    php_admin_value safe_mode 0/1 is no more accepted
    on apache httpd.conf and it limits the possibility to turn
    off safe_mode for some account .
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I know that it's easy to get around "php_admin_value open_basedir" (I was able to do that me too) , but it's the first time I hear you can get around php safe mode .

    I think the only way to get around to php safe mode is to use perl :mad: . Yes with perl you can use something similar to the
    php filesystem functions , and there is nothing to avoid this
    :( and with cgi suExec you know who is using a perl script but you don't know WHAT he is doing with that script .

    While php was developed putting attention to shared servers too (safe_mode and open base dir) , perl has nothing similar to reduce security problems on a shared server.
     
    #5 Radio_Head, Apr 2, 2003
    Last edited: Apr 2, 2003
  6. vishal

    vishal Well-Known Member

    Joined:
    Jan 28, 2003
    Messages:
    340
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    where is phpsuexec

    Hello,

    Sorry for the Interruption!!!!

    I have the same problem with mail() function not working with php. I have upgraded my whm and i am on WHM 6.2.0,
    Cpanel 6.2.0-S56,RedHat 7.3.

    I enabled the "Prevent Nobody from sending mails" from Twek settings and even Disabled it. Before upgarde and after the upgrade but still my mail() function is not working for sending mails out.

    My question is where is this phpsuexec located? I have suexec enabled. Do i need to install it from somewhere?

    Can u pls put me on the correct path.

    Regards,

    :confused:
     
  7. silversurfer

    silversurfer Well-Known Member

    Joined:
    Dec 29, 2002
    Messages:
    274
    Likes Received:
    0
    Trophy Points:
    18
    Run /scripts/easyapache
    and install it with suexec enabled. That will fix that problem. Either that or switch off that function
     
  8. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Radio_Head,

    Sorry to bother you about this but I am curious exactly where you put this in Cpanel.

    Would we put it in http.conf in the following section for the site we're disabling safe mode for?

    <VirtualHost xx.xx.xx.xx>
    ServerAlias www.domain.com domain.com
    ServerAdmin webmaster@domain.com
    DocumentRoot /sites/user/public_html
    User user
    Group user
    ServerName www.domain.com
    CustomLog domlogs/domain.com combined
    ScriptAlias /cgi-bin/ /sites/user/public_html/cgi-bin/
    </VirtualHost>

    So that it looked like this?

    <VirtualHost xx.xx.xx.xx>
    ServerAlias www.domain.com domain.com
    ServerAdmin webmaster@domain.com
    DocumentRoot /sites/user/public_html
    User user
    Group user
    ServerName www.domain.com
    CustomLog domlogs/domain.com combined
    ScriptAlias /cgi-bin/ /sites/user/public_html/cgi-bin/
    php_admin_flag safe_mode off
    php_admin_value open_basedir "/sites/user:/tmp"

    </VirtualHost>

    In Ensim all that we had to do was create a file in /etc/httpd/conf/site#/

    with those values and Apache processed all the files in that directory on it's startup.
     
  9. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    well, to answer my own question, yes.
     
  10. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    yes you are right on
    <VirtualHost xx.xx.xx.xx>

    However , put attention , open_basedir has not the safe
    security of safe mode .
     
  11. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    how do you get around the problems with horde webmail with safemode on globally? Or do you turn it off globally and turn it on on a site by site basis?

    Does Cpanel allow us to edit the template for the <VirtualHost xxx.xxx.xxx.xxx> entries that it puts into httpd.conf?

    And can we remove the links to horde webmail and neomail and change the link there globally or do we have to do it individually for each skin we install?

    I'm not too worried about the security of safe mode since I'm not hosting people that I don't know, just sharing my server with some people that I know and open_base_dir seems to have a few problems but not as many as we run into with safe mode so I've had better luck turning it off for them as there's too many PHP scripts out there that need safe mode turned off.

    thanks!
     
    #11 rnh, Apr 18, 2003
    Last edited: Apr 18, 2003
  12. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    What are the effects of using BOTH safe_mode AND open_basedir? I have tried this on modernbill and it seems to have no negative results. Will one cancel the effects of the other? Or will they work together for even more protection?
     
  13. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    If you have safemode on I cannot see a single reason to use
    also open_basedir .

    If you have safemode on and if you disable safemode on for 1 user (or more) it's a good idea to use open_basedir for users which have safemode off .


    Bye

    cPanel.net Support Ticket Number:
     
  14. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    There may be ONE reason and I sent you a PM about this for you to evaluate. :)
     
  15. Tim Greer

    Tim Greer Well-Known Member

    Joined:
    Aug 11, 2002
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    I don't know what people are talking about saying that you have less control with Perl. If you run mod_perl, it has the same problems as mod_php. If you run suexecphp, then PHP is just going to run as CGI. This is nothing new, this patch has been out forever, Cpanel just uses it (they didn't create it). Look for yourself at: http://www.localhost.nl/patches/.

    Either perl and/or PHP running as CGI with SuEXEC, will allow you to set the permissions on the user's parent directories and disallow any other users from snooping around. Perl as CGI allows you more control in regards to limiting the resources each virtual host can use in regards to memory, CPU, process time and how many processes can be used per Vhost at any given time in total. Finally, it will allow you to track spam and various other processes (no more trying to track down who installed or ran a 'nobody' owned process--though I recommend you disable exec and suid (among other things, such as dev, etc.) in /tmp and mount it separately).

    Thus, mod_{php,perl} are the problem, not CGI or anything that runs in the CGI environment--yet CGI is slower; hence the overall problem and the toss up on which is a better method. However, consider this; In a shared server environment, any site that really would benefit from the fact that mod_* has less overhead than CGI and it's a well coded, efficient script, will be the type that should be limited anyway, rather than risking them taking down your server.

    After all, bad code, is bad code--be it PHP or Perl, in mod_perl or mod_php format, or CGI. At least you have better over all control with CGI, better security, better tracking and so on. The problem is the overhead with CGI, but again, a well coded script won't really suffer from those problems and it's only the overhead that will add up with a lot of hits on a script--but then you can at least control and limit how much resources that will consume in total and prevent crashes as well.

    The overall solution is Apache 2.x w/ the MPM module, but this isn't a perfect solution yet--once it is, you can run modules in per vhost limits and have the processes embedded in the httpd process still, but without being CGI. I impatiently await that day (and no, I have no interest in developing such a thing (like others are trying to do currently), since it's already being in MPM, no one's accomplished it yet and it's buggy, and by the time they are perfected, if ever, it will be obsolete 1.x source code and Apache 2.x and MPM will have the same thing that you'd have to migrate to anyway). That, in a nutshell, is the issue. I recommend the above solution, but you may disagree with the logic (though I don't know why).

    cPanel.net Support Ticket Number:
     
  16. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    I understood what you said more or less. Just could you briefly explain what you mean by this?

    > though I recommend you disable exec and suid (among other things, such as dev, etc.) in /tmp ...
     
  17. Tim Greer

    Tim Greer Well-Known Member

    Joined:
    Aug 11, 2002
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    Sure,

    For security reasons, you should have /tmp on its own partition. This makes a significant difference (too much detail to try and get into, I recommend a google search if you require details as per the technical reasons, though I may attempt to elaborate and offer examples later (here) if I get the time). Mount /tmp on its own partition with such options as usrquota,rw,nosuid,nodev,noexec.

    cPanel.net Support Ticket Number:
     
  18. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Although I agree that mod_perl is good to have, some of the better scripts even require it, I also understand that Cpanel & mod_perl (as a DSO anyway) do not work well together. My DC tried for weeks to get it installed and had even asked for help from DarkOrb. All to no avail.

    Other posts I've seen where people seem to be having major problems usually include mod_perl running on their system. So it would seem, even if one does it get working, new releases do not take this mod into consideration and problems can be frequent & major.


    Having /tmp on it's partition is always a good idea, plus the restrictions mention by Tim (nice to see you again, Tim -- don't be a stranger ;)) it does require setting up when the hard drive is partitioned. So if you haven't done it already, might be best to wait until the next Server.

    cPanel.net Support Ticket Number:
     
  19. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16

    Setting the partition needs to be done when the drive is setup, but if its already partitioned can't you put the restrictions on it by editing fstab?

    cPanel.net Support Ticket Number:
     
  20. Tim Greer

    Tim Greer Well-Known Member

    Joined:
    Aug 11, 2002
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    Yes, you can indeed. And, of course, (and we all know this, this is for the sake and benefit of other viewers), if they have free disk space anywhere, or another drive with some, they can create a partition that's a few hundred megs (maybe up to a gig, if they want) and then make /tmp have its own partition with these mount options. Most people surely know this already anyway, but I just thought I'd mention it, just in case.
     
Loading...

Share This Page