Problem with PHP and safe mode

[Seven77]

Because of security reason we have enable the safe mode in php on all our servers.

Now we do have problems with the install scripts of xmb and the advanced geustbook. The script is telling that it is not possible to install those because of the safe mode.

Does anybody know as solution?

Thanx for any hint!!

Seven

 

[AbeFroman]

what is safe mode?

what is safe mode in php?

 

[Brad]

Get used to it. Php safe mode will tighten things up for php scripts but cause problems for many other scripts, some will not even function.

 

[jumpdomain]

Someone correct me if I am wrong but since PHP safe mode only applies to PHP scripts, it is pretty useless if you also allow CGI (perl) scripts since they can just circumvent the security built into safe mode by changing what they want to do to a perl script…

 

[Seven77]

safe mode useless

safe mode is NOT useless because for the cgi's you have to use suexec.

Well frankly speaking each hosting company which has more the 2 customer on a box without safe mode on and without suexec should stop working as a hosting company. Even a swiss cheese has less holes then a server without these two &must to turn on&.

Well it looks like the hole community doesn't care that much about customer security and their files. If I consider that most of the cpanel.net members are from the States I would say:

Stop Hosting with US companies ;-)

Or do you care? Am I wrong? Well, i am wondering what you think.

Seven

P.S. I found a way to run more or less all scripts even if you have safe mode turn on.

 

[jumpdomain]

OK... I would love to see some examples of what you are so worried about. Are you thinking along the lines of the files that PHP writes to and reads from and the ownership of the PHP process?

I don't claim to be a security expert or want to start a security debate... I would just like to know exactly what you are refering to...

 

[Seven77]

[quote:e928a85be7][i:e928a85be7]Originally posted by jumpdomain[/i:e928a85be7]

OK... I would love to see some examples of what you are so worried about. Are you thinking along the lines of the files that PHP writes to and reads from and the ownership of the PHP process?

I don't claim to be a security expert or want to start a security debate... I would just like to know exactly what you are refering to...[/quote:e928a85be7]

Ok, let's say you have 300 clients on a server. all use cpanel and you allow them more or less all things what one person can to with cpanel.

Now, without safe_mode and suexec on you need a php script with 2 lines , something like this big:

xxxxx xxx xxxxxxx xxxx
xxxxxxx xxx xxxxxxxxxxxxxxxx xxxxxxxxxxx

Now one client makes this php scirpt, loads it up to his account and link it with his bowser.

What happens?
He will see:

Domainname Username Passwort

He will see that for ALL of your customer.

I don't know if this is no security issue for you but for us this is a big reason to use safe_mode and suexec.

Seven

 

[Juanra]

Talking about PHP and SuExec... When SuExec is enabled, and PHP running as a module, can users chmod 600 their PHP scripts?

 

[bdraco]

php must run as a cgi script to use suexec

 

[MattF]

You talk about using safe_mode in PHP, which sounds a good idea.

Then another clevers user says what's the point if others cgi scripts can get around the security (ie. snoop others' files)

Then another users says suexec controls the cgi.

What about perl scripts executed under mod_perl (ie. most of them) then? They're not suexec'd and surely they can get around the security. If so then there is little point in using php safe_mode as it only causes problems and those that want to get around the security for snooping other's mysql password etc... will just write a perl script.

 

[masood]

[quote:c69de855b3][i:c69de855b3]Originally posted by bdraco[/i:c69de855b3]

php must run as a cgi script to use suexec[/quote:c69de855b3]

Can we do this under cpanel/themes?? and chmod 600 the php code?

 

[Brownie]

masood, what nick means is you have to stop PHP loading as an apache module and make it use the PHP binary, its not related to chmod-ing themes

 

[SkateYeah]

Can we disable php safe mode per domain like with Ensim 3.0 (it can be done by placing a file with command saying to turn it off)?

Cause i'm thinking in getting a cpanel dedicated machine and I NEED to have php safe mode off for some domains

 

[SHSaeed]

If just CPanel/WHM added open_basedir to all new domains and subdomains in httpd.conf, you could lock the users in their own home directory without enabling safe mode and causing problems with many scripts.. I think this is a feature that needs to be added to CPanel/WHM ASAP! Also it would be nice if we were given the choice of choosing the temp dir.

 

[multivol]

if i set

openbasedir = ~

I notice user cant get out of there /home/username

I had a phpsysinfo script on an account and it seems like the script cant get servers stats.

Will this affect any other common programs? Will it break any functions in cpanel or whm??

 

[moronhead]

Multivol, are you using this in your php.ini or in httpd.conf?

openbasedir = ~

 

[kt]

openbasedir = ~


I think they should look into putting this into all new accounts aswell. This could solve alot of the problems the we are having right now as far as securing our servers.


Thanks

 

[Domenico]

Can someone please give more info about using openbasedir = ~

 

[Radio_Head]

[quote:44d7bfe713][i:44d7bfe713]Originally posted by kt[/i:44d7bfe713]



openbasedir = ~


I think they should look into putting this into all new accounts aswell. This could solve alot of the problems the we are having right now as far as securing our servers.


Thanks[/quote:44d7bfe713]

It works on subdomains too ?

(I usually add this line to each account on httpd.conf
php_admin_value open_basedir &/home/user:/tmp&

&openbasedir = ~& works better (is it more safe) ?
)

 

[Radio_Head]

[quote:ff7608db99][i:ff7608db99]Originally posted by kt[/i:ff7608db99]



openbasedir = ~


I think they should look into putting this into all new accounts aswell. This could solve alot of the problems the we are having right now as far as securing our servers.


Thanks[/quote:ff7608db99]

It works on subdomains too ?

(I usually add this line to each account on httpd.conf
php_admin_value open_basedir &/home/user:/tmp&

&openbasedir = ~& works better (is it more safe) ?
)