The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

safemode, open_basedir and phpsuexec

Discussion in 'General Discussion' started by rs-freddo, Aug 1, 2003.

  1. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    OK, I know there are lots of posts out there in turning off safe mode for one site. However none work with phpsuexec. If you're running phpsuexec then the
    php_admin_value flag
    will stop apache from starting.

    You can of course put it inside the
    <IfModule mod_php4.c>
    </IfModule>
    tags - but since you are not loading mod_php4.c
    it does nothing. (If you are running phpsuexec then the security tweak of enabling open_basedir doesn't work either - for exactly the same reason.)

    I like running phpsuexec but it seems that if I want one site with safe mode off then it has to be off for all. And with no open_basedir protection too.

    So has anyone using phpsuexec successfully disabled safemode for one site and instituted open_basedir globally?

    cPanel.net Support Ticket Number:
     
  2. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    Sure anything you put for php in httpd.conf won't work because phpsuexec runs php as cgi.

    But I think phpsuexec allows you to have a php.ini for every user.

    make a blank php.ini and put in it the safe variable turned off. But the user of this php.ini can edit it.

    As for open basedir I do not know.
     
    #2 mmkassem, Aug 2, 2003
    Last edited: Aug 2, 2003
  3. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I figured to put this in php.ini
    open_basedir = ".:/usr/lib/php:/usr/local/lib/php:/tmp"
    This seems to work and effectively creates a safe mode because users no longer have access to directories containing commands. Once again globally.

    If i can create a php.ini for each user that would be great - where does it go??

    cPanel.net Support Ticket Number:
     
  4. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt


    hmm.. I do not think this will work for all scripts.

    in the folder you want to enable/disable a feature in.

    SO ex. if you have a forum installed in /home/username/forums and you want to enable register global in it then create a blank php.ini in /home/username/forums
    with only the register global variable and turned on.
     
  5. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    This would mean that anybody could disable safe mode if you're using cgi php. I sure hope it doesn't work.

    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
  6. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    yeah they can disable safe_mode if they want.

    cPanel.net Support Ticket Number:
     
  7. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Yes, they can disable Safemode, but then, all PHP scripts can be set to right 400 or 600.

    As such, you can effectivly protect files, no ???

    Unless I am missing something...

    Is Safemode REALLY needed under PHPsuexec ?

    cPanel.net Support Ticket Number:
     
  8. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I am coming to the conclusion it's not. Basically running php as cgi makes it as safe as running perl. Therefore running phpsuexec - using safe mode and open_basedir is not necessary.

    cPanel.net Support Ticket Number:
     
  9. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    It depends on what kind of security are you searching ...

    "safe mode" / "php openbase" and phpsuxec are not the same thing .


    "safe mode" and "php openbase" offer to you and to your users more data privacy *.

    "phpsuexec" does not protect the privacy of your data users , but permits you to monitor what are doing the users with php scripts. So you can stop abuser and know which is the abusers (such as with perl and suexec) .

    Suppose you have an hacker which is slowing down the server with a php script . "safe mode" and "php openbase" will not help you ! With phpsuexec , you will know the user which is abusing of system resources . Without phpsuexec php scripts
    runs nobody and it's not easy to identify the abuser also if you can stop the process.

    Regarding data privacy (looking or executing files outside of /home/user) , phpsuexec provides NO protection similar to safe mode or openbase dir .

    Unluckly "safe mode" / "php openbase" and "phpsuexec"
    cannot work togheter .

    Since phpsuxec doesn't protect data privacy and is still experimental , I still prefer to have Safe mode ON without phpsuexec .



    * "Safe mode" avoid also the execution of shell commands using php . php without safe mode ON is like to provide telnet to your users (!) .
     
    #9 Radio_Head, Aug 4, 2003
    Last edited: Aug 4, 2003
  10. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    my point is that you already provide "telnet" to users via PERL, so providing it via php doesn't matter (conversly disabling it in php while making PERL available certainly won't increase server security).

    You can protect data with phpsuexec because you can tighten permissions so they can't read or write others files.

    safe mode and phpsuexec work fine together - as long as you don't want one site to have safe mode off.

    My previous stated inplementation of open_basedir also works with phpsuexec - once again whole server only.

    cPanel.net Support Ticket Number:
     
  11. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
     
  12. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    phpsuexec is no longer experimental and permissions no longer have to be changed. PHP files can be uploaded with FTP without chmod - they work fine.

    I think disabling c compilers is not necessary as it's easier to just upload a binary. I have seen many cases where the compiler was disabled and the hacker just uploaded a binary.

    Permissions - yes, I would ceratinly like to know more about permissions.

    cPanel.net Support Ticket Number:
     
  13. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    It is no longer experimental ? Do you know the ufficial link of phpsuxec ?

    And what happens if you install/try this on your phpsuxec box ?

    http://www.digitart.com.mx/php/myshell/
     
    #13 Radio_Head, Aug 4, 2003
    Last edited: Aug 4, 2003
  14. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    >
    I think disabling c compilers is not necessary as it's easier to just upload a binary. I have seen many cases where the compiler was disabled and the hacker just uploaded a binary.
    >

    Can you explain me with an example which is the procedure to attack using a binary :eek: (here or in pm) ? I have no idea so I don't know how to protect me from binary attacks.
    Binary files doesn't need compilers before running ?


    This procedure should be enough to be safe from binary attacks ?
    http://www.admin0.net/security/3partition.htm

    cPanel.net Support Ticket Number:
     
  15. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    BTW, that procedure skips the usrquotas for /usr, /var and /home directories.

    cPanel.net Support Ticket Number:
     
  16. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    A binary is just compiled source, it doesn't have to be compiled on your machine, it can be compiled on any similiar machine. Whether binary or source depends on the privelages they have gained as to what they can do. If they have root priveleges then no amount of partitioning can save your server.

    If they don't have root priveleges then I have heard that partitioning can minimise the damage. I'm not a security expert, so i don't know.

    If I uploaded that file I would probably have shell access, exactly the same as if I uploaded a perl shell emulator - no difference. I'm just making the point that it is no use feeling secure because php is locked up when PERL is wide open. No point locking one window when the one next to it is wide open.

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page