The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Safe mode Off only for one account - how ??

Discussion in 'General Discussion' started by sh4ka, Jan 31, 2006.

  1. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    I have safe mode ON for the server, but there is one domain that needs safe mode off to work properly with a php script . How can I disable safe mode for this domain withouth having to disable this option for all server ?

    I use RH4.

    Thank you.
     
  2. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    You can turn off the php safe mode for an account by doing the following :-
    Edit the httpd.conf file in /usr/local/apache/conf and add the below line in VirtualHost Entry for that domain
    php_admin_flag safe_mode Off
    OR
    php_admin_value safe_mode 0

    Save the file and restart apache by
    service httpd stop
    service httpd start

    You can check whether php safe mode is turned off for that particular domain at :- http://domainname/phpinfo.php Check the "Local value" of Safe mode.
     
  3. rsutc

    rsutc Well-Known Member

    Joined:
    Oct 8, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6

    OK I have tried this workaround, also described in some detail in the article at
    http://webhostgear.com/166.html
    However, when I try to restart Apache with this line (or the other variant) in the httpd.conf file, Apache fails. I have a CentOS box. In addition, running from SSH the command apachectl configtest does not work, but behaves as though the command did not exist. Can anyone shed any light?

    Rick
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Using "safe_mode = off" (no quotes) in a .htaccess file will turn off safe mode by directory with 2 caveats.

    1. If you are also running phpsuexec then the directive will need to be placed in a local php.ini instead of .htaccess.

    2. Starting with PHP5 (not sure exactly which version) this undocumented "feature" is no longer available. Apparently safe_mode will be deprecated with the release of PHP6.
     
  5. rsutc

    rsutc Well-Known Member

    Joined:
    Oct 8, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    OK, as I now understand it with this post and other research,
    when Apache is running under phpsuexec (as a CGI) and therefore the php module is not loaded, this safe mode override cannot be put in either the httpd.conf (the syntax is not availavble) or the .htaccess file (not allowed there either).

    So, if I put in in a file called php.ini, say with no other commands, this will override the system wide php.ini? In this one setting (i.e. could I put in a php.ini file with this one change and nothing else?), or does the entire php.ini file with this one line changed need to be comied into the user's directories (I think it has to be in every affected directory to work)

    But it seems to me that if safe mode can be overridden with a php.ini file in the user's directory, ANY security can be tossed out the window as presumably any setting can be changed.

    Is here any other way to change safe mode on a per user basis? I do not want to stop using phpsuexec.

    Finally, if safe mode is going to go away, why should I be using it at all?


    Rick
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You will have to copy the server's php.ini file into the directory and then modify the necessary directives. The php.ini file that is read in the user's directory is the only one loaded if it is found. If a php.ini file exists in your public_html directory, then the system disregards the server-wide php.ini file.

    Concerning the security issue concerning the php.ini file, I think this is why this feature was disabled. I'm not sure who is responsible for its disabling. It may have been cPanel, the maintainers of the phpsuexec path, or the PHP developers themselves. But either way, I think security concerns were raised for the very reason you state. This started with PHP 5.1.2 I believe.

    As far a solution, I don't know of any that use phpsuexec. You can use suPHP and define a suPHP_ConfigPath directive within the VirtualHost entry for an account, which tells PHP to read a different php.ini file for that VirtualHost. However, suPHP is not a standard part of cPanel. I did write a howto on how to install suPHP on a cPanel server, but you really need to understand what you are doing to install it. Search for suPHP on this forum to find some other information regarding suPHP and cPanel.
     
  7. rsutc

    rsutc Well-Known Member

    Joined:
    Oct 8, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    When you say "this feature was disabled" do you mean, "left out of later versions of php" and if so, what exactly? the ability to put in another php.ini file to do overrides? If so, what will the security model look like in the future?

    As it stands, I'm left with if (phpsuexec and thus php as cgi) and (safemode) then (can't override safemode) and therefore (customers using drupal, modernbill and others complain software won't work) Only solution is a php.ini (or simlink to one) in every affected directory or tell users they can't employ some software.

    I'll have a look at the suPHP solution, but I am reluctant to go that way, as cPanel has a way of killing off things one adds.

    If you had to choose between phpsuexec and safemode, which would you choose?

    Rick
     
    #7 rsutc, Sep 27, 2006
    Last edited: Sep 27, 2006
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I'm referring to the "feature" that allows customized php.ini files in PHP. I put features in quotation marks because I'm not really sure if it qualifies as a feature. I'm not sure who disabled it. I really thought this was a part of the phpsuexec patch that allowed this, and thus when customized php.ini files were no longer being read, I assumed it was cPanel that removed this from the phpsuexec patch that is applied to Apache and PHP in easyapache.

    It was later pointed out that the disabling may have been done by the PHP developers. Meaning that PHP compiled as CGI would no longer read customized php.ini files in a user's home directory. I'm really not sure who is to blame, and I'm not really sure if blame is the correct word to use, because it depends on whether or not you consider this a feature or not.

    The feature itself, the ability to place a php.ini file in your public_html directory or other subdirectory and have it read instead of the server-wide php.ini file, was not really documented. It was just one of those things that was discovered by someone and found to work. In this situation, you can't really blame whoever disabled this functionality because it was never acknowledged as a feature.

    As for using phpsuexec vs. safe-mode, I would recommend phpsuexec and dropping safe-mode. A lot of the security bonuses that safe-mode provides can also be provided by phpsuexec. In a phpsuexec environment, users may be able to perform tasks that they normally would not be able to do if safe-mode were enabled, but they would always be tied to their username and thus would always be traceable. If I had to decide between phpsuexec and safe-mode I would probably go with phpsuexec, but others here might be able to offer counterpoints for safe-mode.

    The suPHP solution does appear to be holding on the servers that I have set this up on. But you do have a point, in that anything you do outside of cPanel really has to be monitored since its not considered a part of cPanel anc could get overwritten. And the procedures for implementing suPHP are not really considered easy, especially if you are talking about a fully loaded server. The guide that I have written is really only meant for fresh servers that do not have any accounts on them.
     
  9. rsutc

    rsutc Well-Known Member

    Joined:
    Oct 8, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    You have been most helpful, and I had pretty much come to the same conclusion. Thanks for clarifying my thinking. I note that cPanel has apparently put suPHP support into the latest edge, but it will be a while before that makes it to release, which is where I am comfortable.

    Rick
     
Loading...

Share This Page