Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Feature Requests

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 8th February 2006, 14:59
bersi bersi is offline
Junior Member
 
Join Date: Nov 2005
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Default PHP SafeMode and open_basemap

Hi,
Hope this wasn't here earlier...
Her it comes, when enabling safeMode in ISP config both the safemode and the open_basedir flags are set. Well good of course but not very finegraded. A real life situation could be a php site using ImageMagick via systemcalls. This would be deffered throu the safeModeFlag. Switching SafeMode off in ispconfig helps, but than then openBasedir flag is unset too leaving a potential risky situation. Wouldnt it be an idea to switch those parameters independently?
Reply With Quote
Sponsored Links
  #2  
Old 8th February 2006, 17:15
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

Do you have a detailed example where you would need this?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 8th February 2006, 17:36
bersi bersi is offline
Junior Member
 
Join Date: Nov 2005
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
using ImageMagick via systemcalls.
I've clients where imageMagick is used for image handling (better than gd) which are called form php with the system call. with safemode all system calls are disabled. This could be tuned by the execdir flag but i dont know if this would be very compatible with all the different linuxes.
The open_basedir flag operates on its own, so using this security feature does not reley on safemode. In my view the open_basedir should always be set on a shared server. If the safemode would be operated seperatly in isp config on could allow system calls (safemode off) but still limit the scope of php to the open basdir settings. See also the numerous posts on cms and other software pacjages where the safemode has to be set off. In most of them even with safe mode off there could be extra security with the beasedir setting in effect.

Now ispconfig toggles both at the same time, so you get safemode with openbasedir or no safemode with no openbasedir.

hope thats enough to make my case?
Reply With Quote
  #4  
Old 8th February 2006, 23:44
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

Ok, let me check this...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 9th February 2006, 10:35
bersi bersi is offline
Junior Member
 
Join Date: Nov 2005
Posts: 27
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks!
and now i have to think up some text to fill the reply
Reply With Quote
  #6  
Old 19th February 2007, 12:30
dasjoen dasjoen is offline
Junior Member
 
Join Date: Feb 2007
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko
Ok, let me check this...
I would also like open_basedir etc. to be separate from the "Safe Mode" checkbox.

An alternative way would of course be to check "Safe Mode" (to get open_basedir), and then to put "php_admin_flag safe_mode Off" into Apache Directives. This doesn't work, however, because the Apache Directives stuff gets inserted above the safe mode stuff in Vhosts_ispconfig.conf. Is there a reason for this?
Reply With Quote
  #7  
Old 20th February 2007, 17:51
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

You could modify the vhosts.conf master template in /root/ispconfig/isp/conf and move the Apache Directives placeholder below the other directives.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 21st February 2007, 12:16
djtremors djtremors is offline
Senior Member
 
Join Date: Apr 2006
Location: Sydney
Posts: 278
Thanks: 0
Thanked 13 Times in 11 Posts
 
Default

I suggest to just do what I do and patch /root/ispconfig/scripts/lib/config.lib.php

$php .= "\nphp_admin_flag safe_mode On
to
$php .= "\nphp_admin_flag safe_mode Off

And leave safemode On in each Vhost. Safemode will be off really but all the other nice options are On. this also fixes problems with things like Joomla etc (unless you use 1.5) and other uploaded file problems.
Reply With Quote
The Following User Says Thank You to djtremors For This Useful Post:
SupuS (9th September 2008)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 13:43.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.