Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 16th January 2006, 14:51
ddelbia ddelbia is offline
Member
 
Join Date: Dec 2005
Posts: 56
Thanks: 1
Thanked 0 Times in 0 Posts
Default Big issue with suPHP

Hi all!

I discovered suPHP by this forum, then I think someone here are using it...

I discovered a big issue: suPHP ignores php_admin and php_admin_values in apache2.conf (or Vhosts_ispconfig.conf)!

Then a cfg like this:

Code:
<VirtualHost 1.2.2.4:80>
...
php_admin_flag safe_mode On
php_admin_value open_basedir /var/www/web2/
php_admin_value file_uploads 1
php_admin_value upload_tmp_dir /var/www/web2/phptmp/
php_admin_value session.save_path /var/www/web2/phptmp/
...
</VirtualHost>
...doesn't work!

The only way to change php settings per-virtualhost is creating a custom php.ini file in a custom directory:

Code:
<VirtualHost 1.2.2.4:80>
...
suPHP_ConfigPath /etc/apache2/dir_with_customized_php_ini
...
</VirtualHost>
I think I can't run suPHP with ISPConfig :-(
Any idea?
Reply With Quote
Sponsored Links
  #2  
Old 16th January 2006, 17:39
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,983
Thanks: 825
Thanked 5,372 Times in 4,219 Posts
Default

Either dont use SuPHP or change ISPConfig to create a custom php.ini
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 16th January 2006, 18:01
ddelbia ddelbia is offline
Member
 
Join Date: Dec 2005
Posts: 56
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till
Either dont use SuPHP or change ISPConfig to create a custom php.ini
I think I'll disable suPHP for now, but I'll try to do some changes... are there some docs or can you tell me where to start?

Thank you again Till, you're becoming my best friend!
Do you plan to come here in Italy for holiday? ;-)
Reply With Quote
  #4  
Old 16th January 2006, 18:31
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,983
Thanks: 825
Thanked 5,372 Times in 4,219 Posts
Default

Quote:
Originally Posted by ddelbia
I think I'll disable suPHP for now, but I'll try to do some changes... are there some docs or can you tell me where to start?
Have a look at the script:

/root/ispconfig/scripts/lib/config.lib.php

the relevant function is named:

make_vhost($server_id) {
......

Quote:
Thank you again Till, you're becoming my best friend!
Do you plan to come here in Italy for holiday? ;-)
Thanks, I will send you a pm if i will make hollidays in italy
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 17th January 2006, 21:56
ddelbia ddelbia is offline
Member
 
Join Date: Dec 2005
Posts: 56
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till
Thanks, I will send you a pm if i will make hollidays in italy
Ok! This is valid for falko too ;-)

On topic, I realized now that there are no problems with suPHP, because php_admin commands are used in virtualhosts by ISPConfig only for setting safe mode (am I right?)... and, after reading some forums out here, suPHP makes safe mode obsolete.

Now, the only disadvantage of suPHP are the poor performances, the same of php-cgi (php is called by CLI)... but I prefer to have better security and to avoid problems caused by safe mode (uploaded files permissions, for example)

I read something about fastcgi php ( see http://www.t17.ds.pwr.wroc.pl/~misie...eModFastcgiPHP ), but it seems quite complex to install, tune and specially mantain (it require to download and compile php source, I like too much debian apt-get and security updates!)...

See you :-)
Reply With Quote
  #6  
Old 18th January 2006, 18:11
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Quote:
Originally Posted by ddelbia
Ok! This is valid for falko too ;-)
This is good to know!
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 11th May 2006, 07:35
djtremors djtremors is offline
Senior Member
 
Join Date: Apr 2006
Location: Sydney
Posts: 278
Thanks: 0
Thanked 12 Times in 10 Posts
Default

I know this is a late topic but I thought I'd throw in my piece.

I've been researching on how to better secure php with ISPconfig installed and been playing around with suphp, suexec and mod_php in safe_mode=on

I found you can relax the strict safe_mode of mod_php with file uploads by setting the safe_mode_gid=on then setting the phptmp folder with chmod g+s.

This works where apache user (www/nobody/wwwuser/apache/etc) writes to that temp folder and the GID is kept. mod_php can still read that file so it works.

The only thing I didn't check or confirmed is that the quota for the user is counted as the user who owns the file is still the httpd servers user and not the user of the account.

Now someone can confirm this 100% because this was a week ago and I think that was all I did to make it work. I don't think there was any special other tweaks but you'd need to change your make_vhost($server_id) to change the permissions.

Last edited by djtremors; 11th May 2006 at 07:37.
Reply With Quote
  #8  
Old 13th May 2006, 11:05
MvincM MvincM is offline
Member
 
Join Date: Apr 2006
Posts: 62
Thanks: 1
Thanked 4 Times in 2 Posts
Default

Hi,

Are those options by default in ISPC?

php_admin_flag safe_mode On
php_admin_value open_basedir /var/www/web2/
php_admin_value file_uploads 1
php_admin_value upload_tmp_dir /var/www/web2/phptmp/
php_admin_value session.save_path /var/www/web2/phptmp

I can't see them in Vhosts_ispconfig.conf. Ddelbia are you put them youself?

Best regards,
MvincM
Reply With Quote
  #9  
Old 13th May 2006, 12:16
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Quote:
Originally Posted by MvincM
Hi,

Are those options by default in ISPC?
Yes.

Quote:
Originally Posted by MvincM
I can't see them in Vhosts_ispconfig.conf. Ddelbia are you put them youself?
They are written by ISPConfig if you enable PHP Safe Mode for the web site.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 14th May 2006, 08:50
MvincM MvincM is offline
Member
 
Join Date: Apr 2006
Posts: 62
Thanks: 1
Thanked 4 Times in 2 Posts
 
Default

Ohhh. I see.

Thank you for info.

But it could be useful to have

php_admin_value open_basedir /var/www/web2/
php_admin_value file_uploads 1
php_admin_value upload_tmp_dir /var/www/web2/phptmp/
php_admin_value session.save_path /var/www/web2/phptmp

without

php_admin_flag safe_mode On

First of them increase security level without some "safe_mode" issues.

It is possible?

MvincM
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Web Server FedoraCore4 issue educandote Installation/Configuration 9 19th January 2006 17:20
Dns "a Record" Issue sebroeck Installation/Configuration 3 8th December 2005 14:07
Outlook 2003 issue with courier-pop3 RotHorseKid Installation/Configuration 6 7th December 2005 20:35
suphp Bruce Installation/Configuration 2 16th November 2005 17:09
issue on site creation quicklinux Installation/Configuration 4 4th August 2005 21:59


All times are GMT +2. The time now is 09:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.