safemode, open_basedir and phpsuexec

rs-freddo

Well-Known Member
May 13, 2003
834
1
168
Australia
cPanel Access Level
Root Administrator
OK, I know there are lots of posts out there in turning off safe mode for one site. However none work with phpsuexec. If you're running phpsuexec then the
php_admin_value flag
will stop apache from starting.

You can of course put it inside the
<IfModule mod_php4.c>
</IfModule>
tags - but since you are not loading mod_php4.c
it does nothing. (If you are running phpsuexec then the security tweak of enabling open_basedir doesn't work either - for exactly the same reason.)

I like running phpsuexec but it seems that if I want one site with safe mode off then it has to be off for all. And with no open_basedir protection too.

So has anyone using phpsuexec successfully disabled safemode for one site and instituted open_basedir globally?

cPanel.net Support Ticket Number:
 

mmkassem

Well-Known Member
Oct 21, 2002
390
0
166
Egypt
Sure anything you put for php in httpd.conf won't work because phpsuexec runs php as cgi.

But I think phpsuexec allows you to have a php.ini for every user.

make a blank php.ini and put in it the safe variable turned off. But the user of this php.ini can edit it.

As for open basedir I do not know.
 
Last edited:

rs-freddo

Well-Known Member
May 13, 2003
834
1
168
Australia
cPanel Access Level
Root Administrator
I figured to put this in php.ini
open_basedir = ".:/usr/lib/php:/usr/local/lib/php:/tmp"
This seems to work and effectively creates a safe mode because users no longer have access to directories containing commands. Once again globally.

If i can create a php.ini for each user that would be great - where does it go??

cPanel.net Support Ticket Number:
 

mmkassem

Well-Known Member
Oct 21, 2002
390
0
166
Egypt
Originally posted by rs-freddo
I figured to put this in php.ini
open_basedir = ".:/usr/lib/php:/usr/local/lib/php:/tmp"

This seems to work and effectively creates a safe mode because users no longer have access to directories containing commands. Once again globally


hmm.. I do not think this will work for all scripts.

If i can create a php.ini for each user that would be great - where does it go??
in the folder you want to enable/disable a feature in.

SO ex. if you have a forum installed in /home/username/forums and you want to enable register global in it then create a blank php.ini in /home/username/forums
with only the register global variable and turned on.
 

rs-freddo

Well-Known Member
May 13, 2003
834
1
168
Australia
cPanel Access Level
Root Administrator
Originally posted by mmkassem

in the folder you want to enable/disable a feature in.

SO ex. if you have a forum installed in /home/username/forums and you want to enable register global in it then create a blank php.ini in /home/username/forums
with only the register global variable and turned on.
This would mean that anybody could disable safe mode if you're using cgi php. I sure hope it doesn't work.

cPanel.net Support Ticket Number:

cPanel.net Support Ticket Number:
 

mmkassem

Well-Known Member
Oct 21, 2002
390
0
166
Egypt
Originally posted by rs-freddo
This would mean that anybody could disable safe mode if you're using cgi php. I sure hope it doesn't work.

cPanel.net Support Ticket Number:

cPanel.net Support Ticket Number:
yeah they can disable safe_mode if they want.

cPanel.net Support Ticket Number:
 

mpierre

Well-Known Member
Jun 30, 2002
196
0
166
Yes, they can disable Safemode, but then, all PHP scripts can be set to right 400 or 600.

As such, you can effectivly protect files, no ???

Unless I am missing something...

Is Safemode REALLY needed under PHPsuexec ?

cPanel.net Support Ticket Number:
 

rs-freddo

Well-Known Member
May 13, 2003
834
1
168
Australia
cPanel Access Level
Root Administrator
I am coming to the conclusion it's not. Basically running php as cgi makes it as safe as running perl. Therefore running phpsuexec - using safe mode and open_basedir is not necessary.

cPanel.net Support Ticket Number:
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
Originally posted by rs-freddo
I am coming to the conclusion it's not. Basically running php as cgi makes it as safe as running perl. Therefore running phpsuexec - using safe mode and open_basedir is not necessary.

cPanel.net Support Ticket Number:
It depends on what kind of security are you searching ...

"safe mode" / "php openbase" and phpsuxec are not the same thing .


"safe mode" and "php openbase" offer to you and to your users more data privacy *.

"phpsuexec" does not protect the privacy of your data users , but permits you to monitor what are doing the users with php scripts. So you can stop abuser and know which is the abusers (such as with perl and suexec) .

Suppose you have an hacker which is slowing down the server with a php script . "safe mode" and "php openbase" will not help you ! With phpsuexec , you will know the user which is abusing of system resources . Without phpsuexec php scripts
runs nobody and it's not easy to identify the abuser also if you can stop the process.

Regarding data privacy (looking or executing files outside of /home/user) , phpsuexec provides NO protection similar to safe mode or openbase dir .

Unluckly "safe mode" / "php openbase" and "phpsuexec"
cannot work togheter .

Since phpsuxec doesn't protect data privacy and is still experimental , I still prefer to have Safe mode ON without phpsuexec .



* "Safe mode" avoid also the execution of shell commands using php . php without safe mode ON is like to provide telnet to your users (!) .
 
Last edited:

rs-freddo

Well-Known Member
May 13, 2003
834
1
168
Australia
cPanel Access Level
Root Administrator
my point is that you already provide "telnet" to users via PERL, so providing it via php doesn't matter (conversly disabling it in php while making PERL available certainly won't increase server security).

You can protect data with phpsuexec because you can tighten permissions so they can't read or write others files.

safe mode and phpsuexec work fine together - as long as you don't want one site to have safe mode off.

My previous stated inplementation of open_basedir also works with phpsuexec - once again whole server only.

cPanel.net Support Ticket Number:
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
Originally posted by rs-freddo
my point is that you already provide "telnet" to users via PERL, so providing it via php doesn't matter (conversly disabling it in php while making PERL available certainly won't increase server security).

You can protect data with phpsuexec because you can tighten permissions so they can't read or write others files.
>

I know it , however I know also that php is most used now (respect of perl) . Based on my experience I noticed that a lot of hackers prefer to hack using php . Just my opinion. Of course you are right , perl is always opened since there doesn't exist a safe mode .

>
safe mode and phpsuexec work fine together - as long as you don't want one site to have safe mode off.
>

I didn't know it , however if I cannot turn off safe mode for some user is a problem.

>
My previous stated inplementation of open_basedir also works with phpsuexec - once again whole server only.
>

whole server ... for me is a problem , I need at least 1 or 2 users with no limitation.

Considering that with phpsuexec users can works with permissions better than without phpsuxec is a good security point . However ... remain the fact that phpsuexec is still experimental and not always users are so expert to work fine with permissions.

I think we should look after . Disabling c compilers , reducing 777 directories and possibility to execute files there , ..other ...

cPanel.net Support Ticket Number:
 

rs-freddo

Well-Known Member
May 13, 2003
834
1
168
Australia
cPanel Access Level
Root Administrator
phpsuexec is no longer experimental and permissions no longer have to be changed. PHP files can be uploaded with FTP without chmod - they work fine.

I think disabling c compilers is not necessary as it's easier to just upload a binary. I have seen many cases where the compiler was disabled and the hacker just uploaded a binary.

Permissions - yes, I would ceratinly like to know more about permissions.

cPanel.net Support Ticket Number:
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
Originally posted by rs-freddo
phpsuexec is no longer experimental and permissions no longer have to be changed. PHP files can be uploaded with FTP without chmod - they work fine.

I think disabling c compilers is not necessary as it's easier to just upload a binary. I have seen many cases where the compiler was disabled and the hacker just uploaded a binary.

Permissions - yes, I would ceratinly like to know more about permissions.

cPanel.net Support Ticket Number:
It is no longer experimental ? Do you know the ufficial link of phpsuxec ?

And what happens if you install/try this on your phpsuxec box ?

http://www.digitart.com.mx/php/myshell/
 
Last edited:

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
>
I think disabling c compilers is not necessary as it's easier to just upload a binary. I have seen many cases where the compiler was disabled and the hacker just uploaded a binary.
>

Can you explain me with an example which is the procedure to attack using a binary :eek: (here or in pm) ? I have no idea so I don't know how to protect me from binary attacks.
Binary files doesn't need compilers before running ?


This procedure should be enough to be safe from binary attacks ?
http://www.admin0.net/security/3partition.htm

cPanel.net Support Ticket Number:
 

goodmove

Well-Known Member
May 12, 2003
640
3
168
BTW, that procedure skips the usrquotas for /usr, /var and /home directories.

cPanel.net Support Ticket Number:
 

rs-freddo

Well-Known Member
May 13, 2003
834
1
168
Australia
cPanel Access Level
Root Administrator
A binary is just compiled source, it doesn't have to be compiled on your machine, it can be compiled on any similiar machine. Whether binary or source depends on the privelages they have gained as to what they can do. If they have root priveleges then no amount of partitioning can save your server.

If they don't have root priveleges then I have heard that partitioning can minimise the damage. I'm not a security expert, so i don't know.

If I uploaded that file I would probably have shell access, exactly the same as if I uploaded a perl shell emulator - no difference. I'm just making the point that it is no use feeling secure because php is locked up when PERL is wide open. No point locking one window when the one next to it is wide open.

cPanel.net Support Ticket Number: