The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

register_globals=on for suexec/suphp ?

Discussion in 'General Discussion' started by meeti, Feb 17, 2008.

  1. meeti

    meeti Well-Known Member

    Joined:
    Dec 25, 2007
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    the register_globals of my server wide is set as "off",

    and the server runs as suexec/suphp,

    how can i set as "on" for certain account?


    thanks a lot.
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Add it to an httpd.conf Include for the account.
     
  3. meeti

    meeti Well-Known Member

    Joined:
    Dec 25, 2007
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16

    Hi,

    can you tell me more detail?



    thanks
     
  4. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    You could create a php.ini in their folder (needs to be in EACH folder that PHP is required to be run with global registers on) - and place the following line.
    Code:
    global_registers on
    
    Easy as.
     
  5. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    suexec + register_globals + localised pnp.ini file = disaster

    I have tried this and it does not work.

    We are running Apache Version: 1.3.41 and SuExec with register_globals set to Off.

    Since installing SuExec the other day, on one of our sites we get the following error:

    "Server Requirement Error: register_globals is disabled in your PHP configuration. This can be enabled in your php.ini configuration file or in the .htaccess file in your catalog directory"

    Then accoring to every web page about this error, we then put an php.ini file containing the following line:

    register_globals = ON

    Still get the same error.

    According to my server guy he is saying

    "In older phpsuexec installations, you can use local php.ini files to override variables locally. However, ever since cpanel11's latest easyapache installer, this does not work with phpsuexec any more. You can test this by putting a phpinfo page and a php.ini in the same directory and you'll see that it does not read the local php.ini. You can also contact cpanel and ask them if you want to verify. This function does not work with phpsuexec anymore as of the latest installer."

    Is what he is saying correct and if so how do we work around it?

    We cant be the only web server in the world that has this problem.
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    First: phpsuExec no longer exists. There is only suExec support and mod_suphp support (for the pedantic: phpsuExec refers to some special patching we used to perform to suExec, patching we no longer do as it was far too problematic).

    Second: when using suExec only, you will need to either make the modification to the server wide php.ini file (usually in /usr/local/lib/php.ini) or add the overrides directly to the VirtualHost needing the override, using the php_ directives (see the PHP manual for more information on this).

    Third: if using mod_suphp, then your can provide a php.ini in the local directory of the user and it will be used.
     
  7. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for that info.

    I have passed it on and hopefully things can get worked out.
     
  8. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    There is a danger in doing it exactly as you explain. When you have a php.ini in the user directory, it is not a case that it overrides only the specified directives of your main (server-wide) php.ini. In fact, your main php.ini is not considered at all. This means that having only one or more directives in the local php.ini, all other directives revert to their default settings, which may be insecure or bad for performance.

    My advice would be to put a comprehensive php.ini in the user directory that includes settings for all important directives that affect security. For example, copy your main php.ini (which should have all the security and performance tweaks you want) to the user directory, and then make the selected changes to the user's php.ini.
     
  9. Branko

    Branko Active Member
    PartnerNOC

    Joined:
    Sep 16, 2005
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
  10. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    If you are using suphp the easiest solution is to add this line in the VirtualHost container for that Virtualhost:

    suPHP_ConfigPath /home/user/php

    Then create a /etc/phpconf/user directory and copy your server-wide php.ini file to that directory. Edit the /etc/phpconf/user/php/php.ini and enable register_globals. Then restart Apache.

    If you are using Apache2 or EA3, you will want to use the include system so you will want to create a folder:

    mkdir -p /usr/local/apache/conf/userdata/std/2/user/domain.com

    Then create a suphp.conf file in that directory (/usr/local/apache/conf/userdata/std/2/user/domain.com/suphp.conf).

    Add the lines:

    <IfModule mod_suphp.c>
    suPHP_ConfigPath /etc/phpconf/user
    </IfModule>


    Run /scripts/ensure_vhost_includes --user=user

    This will cause suphp to read the php.ini file that is in /home/user/php instead of the server-wide php.ini file.

    Of course, the absolute best action is to figure out why the script needs register_globals in the first place. Is the script the latest version? Do the developers realize that register_globals is going to be deprecated in PHP6? Any script that requires register_globals in order to work really falls into one of two categories. Either the project that created the script is dead and the script is no longer being maintained (therefore a security risk). Or the script was developed by someone who is not an expert PHP programmer and how much trust do you really want to put in such a PHP script? (They may be a beginner PHP programmer, and beginners do make mistakes there's nothing wrong with that, but they need to be educated about their mistakes).
     
    #10 sparek-3, Apr 23, 2008
    Last edited: Sep 11, 2009
  11. dragon2611

    dragon2611 Well-Known Member

    Joined:
    Nov 30, 2003
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Personally id put the custom PHP file for that account somewhere the user can't actually get to it and preferably with permissions that mean they cant change it.

    Doesn't have to be in their home directory I'd argue its safer that its not.
     
  12. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I agree. I would do all of these steps as root. Then the user will not be able to make changes to the php.ini file (it will be owned by root) but Apache will still be able to read it. Putting it under the user's home directory allows for it to be backed up as part of the cPanel backup and just gives it good structure.

    But, you may be right, creating an /etc/suphpconfs directory (or some such directory) and creating a directory structure under that directory might be even more secure.
     
  13. bornonline

    bornonline Well-Known Member

    Joined:
    Nov 19, 2004
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
  14. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    A root owned file in a a user owned directory can be deleted by the user. Then the user simply needs to create his own php.ini in its place.
     
  15. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    Not if group or other have read-only access ;)
     
  16. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Code:
    root@mundane [/home34y69da/tramel]# touch deleteme
    root@mundane [/home34y69da/tramel]# ls -l deleteme
    -rw-r--r--  1 root root 0 Apr 24 11:32 deleteme
    root@mundane [/home34y69da/tramel]# su - tramel
    tramel@abc.com [~]# rm deleteme
    rm: remove write-protected regular empty file `deleteme'? y
    tramel@abc.com [~]# ls -l deleteme
    /bin/ls: deleteme: No such file or directory
    tramel@abc.com [~]# 
    
     
  17. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    Very interesting. I have some homework to do! :eek:

    I guess making the php.ini immutable would be an option, but I would not want to go to that extreme.
     
  18. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This is true. Though I've never run into a problem with this. It may be better to store this folder somewhere out of the user's home directory.

    The user would be able to delete the root owned file if it is in a directory that is owned by the user itself. This is because the deleting action is actually being done at the parent level. If you take my example of:

    /home/user/php/php.ini

    If you break it down /home/user/php/php.ini is owned by root /home/user/php is owned by root /home/user is owned by user.

    The user cannot delete the actual php.ini file in /home/user/php, nor can they write changes to it (assuming that permissions on the file are 644 or less). However, the user can delete the directory /home/user/php. Now all the user has to do is recreate the /home/user/php path and now /home/user/php is owned by user allowing user to create a /home/user/php/php.ini file.
     
  19. bornonline

    bornonline Well-Known Member

    Joined:
    Nov 19, 2004
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    Can't they just override it with the same flag in .htaccess? If so, all this worthless. I'll test when I get some time, but was hoping someone may have already checked this...guess not so far.

    Thanks
     
    #19 bornonline, Apr 24, 2008
    Last edited: Apr 24, 2008
  20. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I'm not sure of the cPanel version of suPHP, but I run a customized suPHP system and I patch the code so that it does not allow suPHP_ConfigPath in .htaccess files.
     
Loading...
Similar Threads - register_globals=on suexec suphp
  1. glenn0
    Replies:
    4
    Views:
    288
  2. bilberh
    Replies:
    7
    Views:
    386
  3. vlee
    Replies:
    6
    Views:
    518

Share This Page