The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

safe mode advice

Discussion in 'General Discussion' started by MscLimp, Sep 7, 2003.

  1. MscLimp

    MscLimp Active Member

    Joined:
    Mar 3, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Hi everyone,
    I currently have PHP safe mode ON for my server...
    Almost 20 clients now have requested it to be off.
    I keep telling them I need it for security reasons...
    Now I am wondering, would it be a security issue to turn off PHP safe mode, yet turn on php open_basedir Tweak and PHP SuExec (already on).
    By security issue, I mean, would it open up some holes people could get through (except for the open_basedir)
    Do you think I should do this?
    Thanks,
    Greg

    cPanel.net Support Ticket Number:
     
  2. mickeymouse

    mickeymouse Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    389
    Likes Received:
    0
    Trophy Points:
    16
    Dear MscLimp,

    Safe Mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels are not very realistic, many people, especially ISPs, use Safe Mode for now.

    More reference of the configuration directives are give in these links,

    http://aspn.activestate.com/ASPN/docs/PHP/features.safe-mode.html

    http://www.php.net/manual/en/features.safe-mode.php

    http://www.zend.com/manual/features.safe-mode.php

    Regards,

    cPanel.net Support Ticket Number:
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Hello,

    with php safe mode off each user can browse almost all server
    with php programs like this

    http://www.digitart.com.mx/php/myshell/

    With safe mode on , you are safer (but not 100% safe).

    Another solution is to use phpsuexec ; read other post on this forum to know how it works . However phpsuxec is an unsupported patch , so use at your risk . I still prefer "safe mode on" for now.

    cPanel.net Support Ticket Number:
     
    #3 Radio_Head, Sep 24, 2003
    Last edited: Sep 24, 2003
  4. backup

    backup Member

    Joined:
    Sep 15, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Boston, MA
    Radio Head,
    True... but the open_basedir fixes that so people cannot browse the whole server.... doesn't it?

    -Greg

    cPanel.net Support Ticket Number:
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    yes , but there is some php code which can go over openbase dir (I was able to do that very easly).

    If some user has a script which doesn't work with
    php safe mode on , I turn off it for him , and I add the php open base dir such a minimal protection.

    For now I have still to find a script or php code able to break "php safe mode on" . I read that a user could disable php safe mode on with php.ini . I have to verify it , however if is it true , you could run a cron to check php.ini on /home .

    Again , I like phpsuexec idea (much more than safe mode and open base dir) , but at the same time I don't like it ,because it's a patch which is not supported by apache or php.net .

    (I agree with mickeymouse , instead to find the solution
    at php, perl or other languages level , I think someone should find the solution at os level .
    The users should stay on their /home/user dir , independently from php , safe mode , suexec , perl , ssh ,ad so on ...)
     
    #5 Radio_Head, Sep 24, 2003
    Last edited: Sep 24, 2003
  6. backup

    backup Member

    Joined:
    Sep 15, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Boston, MA
    You can turn off safe mode for 1 account? How is that?

    cPanel.net Support Ticket Number:
     
  7. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Yes . I just replied in other post . You can do it editing httpd.conf.
     
  8. backup

    backup Member

    Joined:
    Sep 15, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Boston, MA
    Which post would that be?
    Thanks,
    Greg

    cPanel.net Support Ticket Number:
     
  9. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
  10. Jemshi

    Jemshi Well-Known Member

    Joined:
    Sep 11, 2003
    Messages:
    210
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    hmm.. in cpanel and all, turning safe mode off for a particular user means, he has got access to all the other users' files also.. not a good idea.

    this works perfectly in ensim (chrooted environment).

    You can also use open_basedir along with safe mode to limit file access to folders under his home.

    cPanel.net Support Ticket Number:
     
  11. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    of course where you add php_admin_value safe_mode 0
    you can still add the openbase dir restriction.

    About chrooted environment , I am asking it from long long time ... also because there is not only php :( to look around the server , there is also Perl and python ....
     
    #11 Radio_Head, Sep 26, 2003
    Last edited: Sep 26, 2003
  12. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    Kinda late into this discussion but my syntax for disabling a single account is:

    php_admin_flag safe_mode off


    Or as it appears in my httpd.conf file:



    <VirtualHost 221.122.122.222>
    ServerAlias www.dummydomain.net dummydomain.net
    ServerAdmin webmaster@dummydomain.net
    DocumentRoot /home/dummyd/public_html
    BytesLog domlogs/dummydomain.net-bytes_log
    ServerName www.dummydomain.net
    ScriptAlias /cgi-bin/ /home/dummyd/public_html/cgi-bin/
    User dummyd
    Group dummyd
    php_admin_flag safe_mode off
    CustomLog domlogs/dummydomain.net combined
    ErrorLog domlogs/dummydomain.net-error_log
    </VirtualHost>

    HTH someone.

    -Alon.
     
  13. robert2807351

    robert2807351 Member

    Joined:
    Oct 11, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Holy Cow.

    I am in close contact with two PHP programmers that we are marketing their server side products for and both companies require server safe mode to be off for the scripts to function properly.

    All week I have been learning about and looking for reasons to turn off server safe mode. But if the above discussion is true (which appears to be the case) then that means anyone with a little messing around could access a customer's server and delete, rename, and CHMOD what ever they wanted to theoretically..

    And even if you turn it off for one or two customers (as opposed to your entire co-located server) those select customers still run a pretty good risk of getting hijacked as well as quite a few other nice little surpirses for them.

    This is obviously not good. The problem is that both PHP software companies that I mentioned above require safe mode to be off in order for them to function properly. For example one product needs to be able to write directories and set permissions while the other needs it off for a multitude of tasks.

    Thanks for the great discussion above guys, but unless I am severly mistaken, I think we have some serious reprogramming to do. I have linked both companies to this thread so that they too can panic as I have lol :eek:
     
    #13 robert2807351, Oct 12, 2004
    Last edited: Oct 12, 2004
  14. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    There are workarounds.
    I have found that there are a lot of lazy programmers such as in gallery.sourceforge.com who refuse to ebrace the issue of security.
    They are lazy and won't take the neccessary time to do some code fix ups that would help us all.
    They claim that the OS needs to have a tighter security model and not PHP and yadda yadda yadda... and for crying out loud,. they refuse to do some work that will benefit everyone.
    What do I mean?
    Well.. Mamboserver, is a complete CMS system that is also doing a lot of directory and file creation and management. They too had a problem with safe_mod on.
    Well... they DID take the time and thought about it and came up with a very simple solution.
    They have a PHP SAfeMOde Patch.
    The way the patch works is,. you enter your username and password into the system and every time you want to create a directory or file or do what you need to do from the file system, it actually does an FTP logon with the credentials you provided,. and then it is acting as the user itself as with the FTP user, you then own your files and directories.
    So ask your programmers if you want to do some rework and use that concept.
    They can probably take the code and work it directly from the mamboserver.com website (search for safe_mod patch).

    -Alon.
     
  15. robert2807351

    robert2807351 Member

    Joined:
    Oct 11, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1

    WOW - thank you Alon, I think this could be the fix we're looking for - thanks a lot.
     
  16. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    No prob. I Can't take the credit for this concept/solutioni, just the credit for learning about it from searching the various forums :)

    Hope that helps.

    -Alon.
     
Loading...

Share This Page