Force safe_mode

Discussion in 'General' started by ddelbia, Jan 13, 2006.

  1. ddelbia

    ddelbia Member

    Hi all again :)

    Is there a way to force resellers and clients to use php in safe mode?

    I've just look documentation and previous posts, of course, but I found nothing, sorry!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No, currentyl you cant force them. The only solution might be to change the ISPCOnfig scripts to always enable php safemode.
     
  3. heftigrat

    heftigrat New Member

    what is this safe mode of which you speak? it sounds important or like it could be a security issue. could someone's crappy php code crash my server?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This means the php safemode option. If you check the "php safemode" checkbox in ISPConfig, all php scripts where restricted to run in the web directory of this site. Then access to files outside of the web directory where disabled and the site has its own temp directory for PHP files. Its recommended to enable safemode if you enable php.
     
  5. ddelbia

    ddelbia Member

    I'm just looking... it seems quite complex... can someone give me any help?

    I have an idea... I may use an external script that updates the table isp_isp_web.web_php_safe_mode...
    Is it a good idea? :)
    Do I need to do something after all, to activate the configuration?

    I have another idea... what happens if I manually change the global php.ini, setting safe_mode = On?

    With both first and third solutions, I can't have exceptions, but with second solution, I can leave web_php_safe_mode to 0... i think this is more interesting...
     
  6. falko

    falko Super Moderator ISPConfig Developer

    No, not a good idea... You should have a look at /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_web.lib.php.

    It has no effect on the web sites created by ISPConfig because if PHP Safe Mode is disabled for a web site in ISPConfig, then ISPConfig writes some directives into the vhost that disable PHP Safe Mode, no matter what's in php.ini.
     
  7. falko

    falko Super Moderator ISPConfig Developer

    I've just had a better idea: you could create a hostingplan in ISPConfig with PHP Safe Mode checked, and then create new web sites from that hostingplan. Then Safe Mode is enabled by default.
     
  8. ddelbia

    ddelbia Member

    Ok, but the reseller can use individual settings too, isn't it? I have bad resellers ;)
    I'll try to hack ispconfig_isp_web.lib.php, this seems the only solution...
    BTW, why the script idea is bad?
     
  9. falko

    falko Super Moderator ISPConfig Developer

    Because you do the changes after the initial configuration has been written. It's not only that you update the PHP Safe Mode field in the database, but you also have to set the status of the corresponding web site to u, and then you have to create an empty file /home/admispconfig/ispconfig/.run; the existence of this file makes the ISPConfig backend rewrite the configuration files.
    It's a little bit tricky...
     
  10. ddelbia

    ddelbia Member

    Then I need a script that:

    1) updates php_safe_mode field
    2) if updated: update web site's status field
    3) if updated: touch /home/admispconfig/ispconfig/.run & chmod admispconfig?

    I'll try, thank you :)
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, but i think you dont have to chmod the .run file, as it is deleted by a process with root priveliges.

    But your approach has one drawback. Updating the config files can take a lot of resources if you have many sites, so doing this twice might be a problem on large installations.
     
  12. falko

    falko Super Moderator ISPConfig Developer

    Yes, that's correct. :)
     
  13. Norman

    Norman Member

    I thought I might revive a long since "dead" thread.
    Are there any easy ways in recent ispconfig versions to force resellers to have safe_mode on ?
     
  14. falko

    falko Super Moderator ISPConfig Developer

    No, that's not possible. I've added this to our bugtracker.
     
  15. Norman

    Norman Member

    Ive solved this temporarily by forcing php-cgi on all accounts and with higher security requirments.

    Ill be doing a pentest on the ISPconfig installations in the future to see more can be improved. Modify umask settings etc for new users.
     

Share This Page