The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with PHP and safe mode

Discussion in 'General Discussion' started by Seven77, Feb 26, 2002.

  1. Seven77

    Seven77 Active Member

    Joined:
    Nov 7, 2001
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Because of security reason we have enable the safe mode in php on all our servers.

    Now we do have problems with the install scripts of xmb and the advanced geustbook. The script is telling that it is not possible to install those because of the safe mode.

    Does anybody know as solution?

    Thanx for any hint!!

    Seven
     
  2. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    what is safe mode?

    what is safe mode in php?
     
  3. Brad

    Brad Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    231
    Likes Received:
    0
    Trophy Points:
    16
    Get used to it. Php safe mode will tighten things up for php scripts but cause problems for many other scripts, some will not even function.
     
  4. jumpdomain

    jumpdomain Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Someone correct me if I am wrong but since PHP safe mode only applies to PHP scripts, it is pretty useless if you also allow CGI (perl) scripts since they can just circumvent the security built into safe mode by changing what they want to do to a perl script…
     
  5. Seven77

    Seven77 Active Member

    Joined:
    Nov 7, 2001
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    safe mode useless

    safe mode is NOT useless because for the cgi's you have to use suexec.

    Well frankly speaking each hosting company which has more the 2 customer on a box without safe mode on and without suexec should stop working as a hosting company. Even a swiss cheese has less holes then a server without these two &must to turn on&.

    Well it looks like the hole community doesn't care that much about customer security and their files. If I consider that most of the cpanel.net members are from the States I would say:

    Stop Hosting with US companies ;-)

    Or do you care? Am I wrong? Well, i am wondering what you think.

    Seven

    P.S. I found a way to run more or less all scripts even if you have safe mode turn on.
     
  6. jumpdomain

    jumpdomain Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    OK... I would love to see some examples of what you are so worried about. Are you thinking along the lines of the files that PHP writes to and reads from and the ownership of the PHP process?

    I don't claim to be a security expert or want to start a security debate... I would just like to know exactly what you are refering to...
     
  7. Seven77

    Seven77 Active Member

    Joined:
    Nov 7, 2001
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    [quote:e928a85be7][i:e928a85be7]Originally posted by jumpdomain[/i:e928a85be7]

    OK... I would love to see some examples of what you are so worried about. Are you thinking along the lines of the files that PHP writes to and reads from and the ownership of the PHP process?

    I don't claim to be a security expert or want to start a security debate... I would just like to know exactly what you are refering to...[/quote:e928a85be7]

    Ok, let's say you have 300 clients on a server. all use cpanel and you allow them more or less all things what one person can to with cpanel.

    Now, without safe_mode and suexec on you need a php script with 2 lines , something like this big:

    xxxxx xxx xxxxxxx xxxx
    xxxxxxx xxx xxxxxxxxxxxxxxxx xxxxxxxxxxx

    Now one client makes this php scirpt, loads it up to his account and link it with his bowser.

    What happens?
    He will see:

    Domainname Username Passwort

    He will see that for ALL of your customer.

    I don't know if this is no security issue for you but for us this is a big reason to use safe_mode and suexec.

    Seven
     
  8. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    Talking about PHP and SuExec... When SuExec is enabled, and PHP running as a module, can users chmod 600 their PHP scripts?
     
  9. bdraco

    bdraco Guest

    php must run as a cgi script to use suexec
     
  10. MattF

    MattF Active Member

    Joined:
    May 5, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    You talk about using safe_mode in PHP, which sounds a good idea.

    Then another clevers user says what's the point if others cgi scripts can get around the security (ie. snoop others' files)

    Then another users says suexec controls the cgi.

    What about perl scripts executed under mod_perl (ie. most of them) then? They're not suexec'd and surely they can get around the security. If so then there is little point in using php safe_mode as it only causes problems and those that want to get around the security for snooping other's mysql password etc... will just write a perl script.
     
  11. masood

    masood Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    [quote:c69de855b3][i:c69de855b3]Originally posted by bdraco[/i:c69de855b3]

    php must run as a cgi script to use suexec[/quote:c69de855b3]

    Can we do this under cpanel/themes?? and chmod 600 the php code?
     
  12. Brownie

    Brownie Well-Known Member

    Joined:
    Aug 10, 2001
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    masood, what nick means is you have to stop PHP loading as an apache module and make it use the PHP binary, its not related to chmod-ing themes :)
     
  13. SkateYeah

    SkateYeah Member

    Joined:
    Jul 9, 2002
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Can we disable php safe mode per domain like with Ensim 3.0 (it can be done by placing a file with command saying to turn it off)?

    Cause i'm thinking in getting a cpanel dedicated machine and I NEED to have php safe mode off for some domains :(
     
  14. SHSaeed

    SHSaeed Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    If just CPanel/WHM added open_basedir to all new domains and subdomains in httpd.conf, you could lock the users in their own home directory without enabling safe mode and causing problems with many scripts.. I think this is a feature that needs to be added to CPanel/WHM ASAP! Also it would be nice if we were given the choice of choosing the temp dir.
     
  15. multivol

    multivol Active Member

    Joined:
    Sep 1, 2002
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    if i set

    openbasedir = ~

    I notice user cant get out of there /home/username

    I had a phpsysinfo script on an account and it seems like the script cant get servers stats.

    Will this affect any other common programs? Will it break any functions in cpanel or whm??
     
  16. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    Multivol, are you using this in your php.ini or in httpd.conf?

    openbasedir = ~
     
  17. kt

    kt Active Member

    Joined:
    May 4, 2002
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    openbasedir = ~


    I think they should look into putting this into all new accounts aswell. This could solve alot of the problems the we are having right now as far as securing our servers.


    Thanks
     
  18. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    16
    Can someone please give more info about using openbasedir = ~
     
  19. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:44d7bfe713][i:44d7bfe713]Originally posted by kt[/i:44d7bfe713]



    openbasedir = ~


    I think they should look into putting this into all new accounts aswell. This could solve alot of the problems the we are having right now as far as securing our servers.


    Thanks[/quote:44d7bfe713]

    It works on subdomains too ?

    (I usually add this line to each account on httpd.conf
    php_admin_value open_basedir &/home/user:/tmp&

    &openbasedir = ~& works better (is it more safe) ?
    )
     
  20. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    [quote:ff7608db99][i:ff7608db99]Originally posted by kt[/i:ff7608db99]



    openbasedir = ~


    I think they should look into putting this into all new accounts aswell. This could solve alot of the problems the we are having right now as far as securing our servers.


    Thanks[/quote:ff7608db99]

    It works on subdomains too ?

    (I usually add this line to each account on httpd.conf
    php_admin_value open_basedir &/home/user:/tmp&

    &openbasedir = ~& works better (is it more safe) ?
    )
     
Loading...

Share This Page