Problem with PHP and safe mode

Seven77

Active Member
Nov 7, 2001
29
0
301
Because of security reason we have enable the safe mode in php on all our servers.

Now we do have problems with the install scripts of xmb and the advanced geustbook. The script is telling that it is not possible to install those because of the safe mode.

Does anybody know as solution?

Thanx for any hint!!

Seven
 

AbeFroman

BANNED
Feb 16, 2002
654
1
318
what is safe mode?

what is safe mode in php?
 

Brad

Well-Known Member
Aug 16, 2001
231
0
316
Get used to it. Php safe mode will tighten things up for php scripts but cause problems for many other scripts, some will not even function.
 

jumpdomain

Well-Known Member
Aug 12, 2001
109
0
316
Someone correct me if I am wrong but since PHP safe mode only applies to PHP scripts, it is pretty useless if you also allow CGI (perl) scripts since they can just circumvent the security built into safe mode by changing what they want to do to a perl script…
 

Seven77

Active Member
Nov 7, 2001
29
0
301
safe mode useless

safe mode is NOT useless because for the cgi's you have to use suexec.

Well frankly speaking each hosting company which has more the 2 customer on a box without safe mode on and without suexec should stop working as a hosting company. Even a swiss cheese has less holes then a server without these two &must to turn on&.

Well it looks like the hole community doesn't care that much about customer security and their files. If I consider that most of the cpanel.net members are from the States I would say:

Stop Hosting with US companies ;-)

Or do you care? Am I wrong? Well, i am wondering what you think.

Seven

P.S. I found a way to run more or less all scripts even if you have safe mode turn on.
 

jumpdomain

Well-Known Member
Aug 12, 2001
109
0
316
OK... I would love to see some examples of what you are so worried about. Are you thinking along the lines of the files that PHP writes to and reads from and the ownership of the PHP process?

I don't claim to be a security expert or want to start a security debate... I would just like to know exactly what you are refering to...
 

Seven77

Active Member
Nov 7, 2001
29
0
301
[quote:e928a85be7][i:e928a85be7]Originally posted by jumpdomain[/i:e928a85be7]

OK... I would love to see some examples of what you are so worried about. Are you thinking along the lines of the files that PHP writes to and reads from and the ownership of the PHP process?

I don't claim to be a security expert or want to start a security debate... I would just like to know exactly what you are refering to...[/quote:e928a85be7]

Ok, let's say you have 300 clients on a server. all use cpanel and you allow them more or less all things what one person can to with cpanel.

Now, without safe_mode and suexec on you need a php script with 2 lines , something like this big:

xxxxx xxx xxxxxxx xxxx
xxxxxxx xxx xxxxxxxxxxxxxxxx xxxxxxxxxxx

Now one client makes this php scirpt, loads it up to his account and link it with his bowser.

What happens?
He will see:

Domainname Username Passwort

He will see that for ALL of your customer.

I don't know if this is no security issue for you but for us this is a big reason to use safe_mode and suexec.

Seven
 

MattF

Active Member
May 5, 2002
35
0
306
You talk about using safe_mode in PHP, which sounds a good idea.

Then another clevers user says what's the point if others cgi scripts can get around the security (ie. snoop others' files)

Then another users says suexec controls the cgi.

What about perl scripts executed under mod_perl (ie. most of them) then? They're not suexec'd and surely they can get around the security. If so then there is little point in using php safe_mode as it only causes problems and those that want to get around the security for snooping other's mysql password etc... will just write a perl script.
 

masood

Well-Known Member
Jun 14, 2002
78
0
156
[quote:c69de855b3][i:c69de855b3]Originally posted by bdraco[/i:c69de855b3]

php must run as a cgi script to use suexec[/quote:c69de855b3]

Can we do this under cpanel/themes?? and chmod 600 the php code?
 

Brownie

Well-Known Member
Aug 10, 2001
145
0
316
masood, what nick means is you have to stop PHP loading as an apache module and make it use the PHP binary, its not related to chmod-ing themes :)
 

SkateYeah

Member
Jul 9, 2002
6
0
151
Can we disable php safe mode per domain like with Ensim 3.0 (it can be done by placing a file with command saying to turn it off)?

Cause i'm thinking in getting a cpanel dedicated machine and I NEED to have php safe mode off for some domains :(
 

SHSaeed

Well-Known Member
May 9, 2002
245
0
316
If just CPanel/WHM added open_basedir to all new domains and subdomains in httpd.conf, you could lock the users in their own home directory without enabling safe mode and causing problems with many scripts.. I think this is a feature that needs to be added to CPanel/WHM ASAP! Also it would be nice if we were given the choice of choosing the temp dir.
 

multivol

Active Member
Sep 1, 2002
25
0
151
if i set

openbasedir = ~

I notice user cant get out of there /home/username

I had a phpsysinfo script on an account and it seems like the script cant get servers stats.

Will this affect any other common programs? Will it break any functions in cpanel or whm??
 

kt

Active Member
May 4, 2002
40
0
306
openbasedir = ~


I think they should look into putting this into all new accounts aswell. This could solve alot of the problems the we are having right now as far as securing our servers.


Thanks
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
[quote:44d7bfe713][i:44d7bfe713]Originally posted by kt[/i:44d7bfe713]



openbasedir = ~


I think they should look into putting this into all new accounts aswell. This could solve alot of the problems the we are having right now as far as securing our servers.


Thanks[/quote:44d7bfe713]

It works on subdomains too ?

(I usually add this line to each account on httpd.conf
php_admin_value open_basedir &/home/user:/tmp&

&openbasedir = ~& works better (is it more safe) ?
)
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
[quote:ff7608db99][i:ff7608db99]Originally posted by kt[/i:ff7608db99]



openbasedir = ~


I think they should look into putting this into all new accounts aswell. This could solve alot of the problems the we are having right now as far as securing our servers.


Thanks[/quote:ff7608db99]

It works on subdomains too ?

(I usually add this line to each account on httpd.conf
php_admin_value open_basedir &/home/user:/tmp&

&openbasedir = ~& works better (is it more safe) ?
)