safemode, open_basedir and phpsuexec

OK, I know there are lots of posts out there in turning off safe mode for one site. However none work with phpsuexec. If you're running phpsuexec then the
php_admin_value flag
will stop apache from starting.

You can of course put it inside the
<IfModule mod_php4.c>
</IfModule>
tags - but since you are not loading mod_php4.c
it does nothing. (If you are running phpsuexec then the security tweak of enabling open_basedir doesn't work either - for exactly the same reason.)

I like running phpsuexec but it seems that if I want one site with safe mode off then it has to be off for all. And with no open_basedir protection too.

So has anyone using phpsuexec successfully disabled safemode for one site and instituted open_basedir globally?

cPanel.net Support Ticket Number:

 

I figured to put this in php.ini
open_basedir = ".:/usr/lib/php:/usr/local/lib/php:/tmp"
This seems to work and effectively creates a safe mode because users no longer have access to directories containing commands. Once again globally.

If i can create a php.ini for each user that would be great - where does it go??

cPanel.net Support Ticket Number:

 

This would mean that anybody could disable safe mode if you're using cgi php. I sure hope it doesn't work.

cPanel.net Support Ticket Number:

cPanel.net Support Ticket Number:

 

I am coming to the conclusion it's not. Basically running php as cgi makes it as safe as running perl. Therefore running phpsuexec - using safe mode and open_basedir is not necessary.

cPanel.net Support Ticket Number:

 

my point is that you already provide "telnet" to users via PERL, so providing it via php doesn't matter (conversly disabling it in php while making PERL available certainly won't increase server security).

You can protect data with phpsuexec because you can tighten permissions so they can't read or write others files.

safe mode and phpsuexec work fine together - as long as you don't want one site to have safe mode off.

My previous stated inplementation of open_basedir also works with phpsuexec - once again whole server only.

cPanel.net Support Ticket Number:

 

phpsuexec is no longer experimental and permissions no longer have to be changed. PHP files can be uploaded with FTP without chmod - they work fine.

I think disabling c compilers is not necessary as it's easier to just upload a binary. I have seen many cases where the compiler was disabled and the hacker just uploaded a binary.

Permissions - yes, I would ceratinly like to know more about permissions.

cPanel.net Support Ticket Number:

 

A binary is just compiled source, it doesn't have to be compiled on your machine, it can be compiled on any similiar machine. Whether binary or source depends on the privelages they have gained as to what they can do. If they have root priveleges then no amount of partitioning can save your server.

If they don't have root priveleges then I have heard that partitioning can minimise the damage. I'm not a security expert, so i don't know.

If I uploaded that file I would probably have shell access, exactly the same as if I uploaded a perl shell emulator - no difference. I'm just making the point that it is no use feeling secure because php is locked up when PERL is wide open. No point locking one window when the one next to it is wide open.

cPanel.net Support Ticket Number: