Is this bug?

Discussion in 'General' started by payne, Jun 9, 2007.

  1. payne

    payne New Member

    Some my users need for their scripts that safe_mode must be turned off. But when i turn off "PHP Safe Mode" in ISPConfig,open_basedir value sets to default (no value) and my users can view every file of my server,for example "/etc/passwd". :confused:

    How can i only turn off safe_mode,but not change open_basedir value?
     
  2. payne

    payne New Member

    Never mind,i edited /root/ispconfig/scripts/lib/config.lib.php file,so now it's ok :) open_basedir value do not changes when i change safe mode value.

    Here is what i changed...
    PHP:
               if($web["web_php_safe_mode"]){
                    
    $php .= "\nphp_admin_flag safe_mode On
    php_admin_value open_basedir "
    .$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir "
    .$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/
    php_admin_value session.save_path "
    .$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/";
                  }
                   else
                    {
                    
    $php .= "\nphp_admin_flag safe_mode Off";
                    }
    to..

    PHP:

    $php 
    .= "\nphp_admin_value open_basedir ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/";

                  if(
    $web["web_php_safe_mode"]){

                    
    $php .= "\nphp_admin_flag safe_mode On
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir "
    .$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/
    php_admin_value session.save_path "
    .$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/phptmp/";
                  }
                   else
                    {
                    
    $php .= "\nphp_admin_flag safe_mode Off";
                    }

    So i think it's real php security issue for users with little knowledge of php. open_basedir must be enabled in isp config by default and cannot be changebale through user site's management ;)
     
    Last edited: Jun 10, 2007
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The open basedir value is not changable by the user, it is only changable by the administrator and a admin of a server should know what he does. It is always recommended to enable the php safemode chekbox. Instead of modifying the ISPConfig sources, you might have added a open basedir value in the apache directives field. In some scenarios open basedir should not be set, so enabling it also when php safemode is off is not an option.
     
  4. Ben

    Ben ISPConfig Developer ISPConfig Developer

    @till: That won't work. My Problem e.g. is to have the pear directory in the openbasedir beside the own dir. if I add this to the apache directives field it overwrites the default setting...
     

Share This Page