Disable/Bypass Suexec Per Vhost Domain
Oct 12, 2007
I am running on;
Plesk versionpsa v8.0.1_build80060613.20 os_CentOS 4.2
Operating systemLinux 2.6.9-023stab033.6-smp
License key numberPLSK.00170782.0006
I need to be able to access cgi between vhost domains. In particular one frequently updated file located 'centrally' in the cgi-bin of one of the vhost domain.
I would like to be able to have other vhost domains be able to access this file but suexec won't let that happen. I have searched around and tried to following;
Created vhost.conf file in the conf directory of one of the domains.
The vhost.conf file contained (with no #):
# <IfModule mod_suexec.c>
# SuexecUserGroup userid psacln
# </IfModule>
I ran;
/usr/local/psa/admin/bin/websrvmng -u --vhost-name=<domain name>
Then reboot.
The result was all the vhosts stopped working. I reset the websvrmng, things returned to normal.
Then I tried updating the httpd.include file adding (with no #);
# <IfModule mod_suexec.c>
# SuexecUserGroup userid psacln
# </IfModule>
Then reboot.
The result was the same, all vhosts stopped working.
Does anyone have an idea how I can achieve this? I know I can disable suexec all together but that wreaked a little havoc with the cgi app when I tried that.
View 2 Replies
ADVERTISEMENT
Oct 20, 2009
I need to change the server configuration on Plesk such that the SuexecUserGroup directive is removed, so the user's cgi scripts run as the apache user (www-data), rather than as the user specified in that directive (the domain user), as on an unshared (non-VPS) server. I don't care about security from other domains because only one domain runs on it anyway, so making the user domain-specific is irrelevant from a security point of view and stops some of the user's code working.
This directive is found in
/var/www/vhosts/domainname.com/conf/httpd.include
and is:
SuexecUserGroup user psacln
(this line appears twice, for ports 443 and 80)
I understand that this file can't be modified, as it may be overwritten by Plesk. Therefore additional directives must go in the vhost.conf file.
Will the following vhost.conf file do the trick and override the directives in httpd.include?
<VirtualHost domainIP:443>
SuexecUserGroup www-data www-data
</VirtualHost>
<VirtualHost domainIP:80>
SuexecUserGroup www-data www-data
</VirtualHost>
View 1 Replies
View Related
Mar 25, 2009
is it good or not and why we should enable or disable it in cpanel server or other server?
View 11 Replies
View Related
Jul 14, 2014
Want to activate webDAV in a specific domain with a v_host conf file, but do not have a /conf directory in the domain path. How can I manage the this?
View 2 Replies
View Related
May 15, 2007
if anybody has been successful in disabling awstats for one domain only? I've seen this method somewhere else but was wondering if any of you guys have tried it here:
----------------------
Append the line,
skipawstats=1 to the file /var/cpanel/users/<username>
----------------------
View 4 Replies
View Related
Jul 12, 2007
I created a new cpanel account subdomain.domain.com
Sometimes i goto [url] on my browser, it changes to www.subdomain.domain.com
I want to disable 'www' for some 'xml' script reason.
How do I do that?
View 12 Replies
View Related
Jul 29, 2007
When dealing with the security of your server you will eventually get to the part were you will want to disable some php functions. The only problem on shared hosting is that you cannot disable exec for a domain and enable that function for an other that needs it because of some lame script. Eventually you will get to the part were you will need to enable exec on the entire server because of one site.
There is a solution to this and it’s called suhosin.
Suhosin has a configuration variable called ”suhosin.executor.func.blacklist” which can be used to disable some php functions. The difference between this variable and disable_functions in php.ini is that it can be set for all the sites and then it can be modified for a domain only (it can be overwritten) so you will be able to disable exec on the entire server and enable that function for a single domain.
I will not write here how to install suhosin.
Also, you only need the extension for this so you do not need to patch php and recompile.
IMPORTANT: I have noticed that the suhosin extension 0.9.20 will not work anymore as there are some problems with it. It’s ok as long as we have 0.9.18. Probably the next version of the extension will be fixed to work ok again so remember to use version 0.9.18 for this until the problem is fixed.
Ok, so to use suhosin as the php function blocker we need to comment out disable_functions in php ini (yes, enable all the functions) and then set in php.ini
suhosin.executor.func.blacklist to something like this:
suhosin.executor.func.blacklist = exec, passthru, shell_exec, system, pcntl_exec, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg
You can add as many functions as you like.
After that, all the functions added in suhosin.executor.func.blacklist will not work anymore in php scripts. If you need to enable a function for a domain, let’s say
exec, you will have to edit apache configuration file and add suhosin.executor.func.blacklist without the exec function:
<VirtualHost 127.0.0.1>
ServerAlias www.test.com
ServerAdmin webmaster@test.com
DocumentRoot /home/test/public_html
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg"
</VirtualHost>
Now exec is disable on the server but it’s enabled on the test domain.
View 0 Replies
View Related
Jul 25, 2014
How do we disable email on the domain entirely? The client is hosting email externally - the offered spam filtering is wholely inadequate and we're seeing a few of these happening - to the point I'm considering offering externally hosted email plans anyway - but back to the problem - I need to delete the mailboxes and then disable mail - and then remove the DNS records for webmail etc - but can't seem to find how to turn off locally hosted email for a domain.
View 11 Replies
View Related
Feb 14, 2015
My customer using exchange on internal office, the https port conflict with their work. how do I disable https port on their domain?
I am using plesk 11.x and I have about 300 domains on it.
View 1 Replies
View Related
Feb 24, 2015
Is it possible to control if nginx is active on a per domain basis? If so, how do we configure this. If not, how do we disable nginx completely?
View 3 Replies
View Related
Apr 2, 2015
New to Plesk in general so I don't know for sure if the "Register Domain Names" feature is part of our 'Web Pro Edition' or comes by default.
Also, is the domain registration option showing up because when installing Plesk I enabled the "Enable access to premium commercial apps"?
So my question is, can we still set it up so users have access to install applications (free and commercial), but disable the domain registration option?
View 1 Replies
View Related
Jun 23, 2015
I have a Plesk 12 server running under Debian 7. I have a website with only mail so I disable web hosting. The problem is that the client needs to use webmail but webmail does not work (maybe because web hosting is disabled)...
View 1 Replies
View Related
Jan 21, 2014
My Plesk Panel version 11.0.9 on Microsoft Windows Server 2008 R2 Service Pack 1 with mail Server : IceWarp Server 10.2.2
And my subscriptions had 2 domains : matbaocare.com (main domain) & matbaocare.net (second domain).
When I create E-mail Address , by default I can choose several domain on my account with @matbaocare.com or @matbaocare.net.
But I don't want to create E-mail with second domain, just main domain can use email !
How to config Plesk to auto disable create E-mail with several domain on account?
View 7 Replies
View Related
Aug 6, 2014
I have several domains configured in my Plesk, and one of them is set as the "Detault site" under Home >> Tools & Setings > IP address management.This has the unpleasant side effect that any domain I point to this IP renders content from the Default site unless it's setup. How can I configure the default site to render content from only one domain?
View 1 Replies
View Related
Aug 24, 2007
I have put an Access database inside an access_db folder on Godaddy and written some .asp pages that query it. I am trying to make sure that I take necessary precautions against hackers reading or even writing to the database. Maybe someone can give some remarks about whether any of these concerns are realistic, and if so, why and what I could do about it?
1) Could someone somehow navigate directly to the database and read or write to it (the access_db folder seems to have no read/write permissions as set by default by Godaddy, but how secure is that?)
2) I permit entry through use of a a userid and password that are looked up in an mdb in the same folder (not listed in the html itself). If there’s a match, I store the userid as a session cookie. Then, to visit any other pages, each page first checks to see if the cookie is empty before proceeding. Is it possible for someone to set the cookie themselves and thus break through (can a cookie be set manually?) If so, would it help if I mandated that the cookie be set to something specific (right now it just has to be non-blank) or can they find out what the cookie should be set to as well?
View 3 Replies
View Related
Apr 10, 2014
I'm trying to get exception from auth (.htpasswd ) for one specific URL, but seems, that it does not work with my Rewriting rules. Disabling RewriteEngine solving auth problem. My .htaccess:
Code:
SetEnv APPLICATION_ENV development
# Rewrite
RewriteEngine On
RewriteBase /
# ZEND
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
[Code] .....
View 1 Replies
View Related
May 5, 2007
I accidently found that it could be available to de-activate mod_security in a certain directory by using a .htaccess like that...
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
I believe it's something related to the "AllowOverride" directive from apache but im not exactly sure, the available arguments for this directive are "AuthConfig, FileInfo, Indexes, Limit, Options", I've tried hardly to find a way to not to disable the usage of .htaccess files and keep it's functionality but also to prevent it from being able to modify through it the functionality of mod_security.
I'm sure Anyone here could help me in this issue as it's a big pain for any server running apache in a shared vhosting environment.
View 13 Replies
View Related
Jul 23, 2009
My blog is set up to display in the root of my domain, although the files on the server sit within their own folder:
i.e
Server files
Public_html/wordpressfiles/
Broswer displays
www . mydomain . com/
(disaplys pages from /wordpressfiles)
The problem I have is that I can't access individual directories within the root, unrelated to wordpress.
e.g
I have
Public_html/folder2/...
Setup on the server, but if I enter the path in my browser:
www . mydomain . com/folder2
wordpress thinks I want to access:
www . mydomain . com/wordpress/folder2
...which doesn't exist.
How can I re-gain access to folders in the root, without wordpress interfering?
View 2 Replies
View Related
Feb 6, 2008
Recently, some of our Linux/cPanel servers got hacked (not rooted) by using the following code (method)
#!/usr/bin/perl
symlink ("/home/USER/config.php","/home/USER2/test.txt");
The hacker just execute the perl file , and then he called the "test.txt" file through internet explorer , and its done , he can read the file easily !
We tried to :
1- run php as CGI module.
2- run SUPHP module.
3- run php as apache module.
4- enable open_basedir and safe_mode.
But the hacker still can bypass the system!
the only solution is to disable /usr/bin/perl , chmoded it to 700 . but thats caused a broken cpanel!
as it requires it to be at 755 for proper operation, since it is used by customers as well when it suexec into the user when they log into cPanel. and so we cannot change it to that setting (700), since it breaks the entire system.
So is there any way to stop the "symlink" perl function?
any way to stop this attack method?
View 14 Replies
View Related
Feb 20, 2013
I just setup an intranet wiki running apache2.2 on ubuntu 12.04. The server currently requires two-way certificate authentication (i.e. a server cert AND client certs).In <VirtualHost *:80>, Redirect permanent / https://<intranetSite>
Everything works dandy, except now that I'd like to find a way to bypass the client cert check for localhost so that I can run some maintenance scripts via cron on the server. Or perhaps it's possible to bypass SSL entirely, just for localhost?
View 2 Replies
View Related
Apr 23, 2009
Do you have any idea for patch PHP suEXEC with "ln" command?
View 9 Replies
View Related
Mar 23, 2008
what fellow users here set --with-suexec-docroot in Apache
installations when cgi-bin folder is outside the public_html folder.
Looks like setting it to /home is the only way.
View 0 Replies
View Related
Jun 17, 2009
I installed lsws without apache conf file(httpd.conf). Then I created a new virtual host in "suEXEC" Template. I added a new user via SSH and made home dir for him and chowned his home dir + all his files to hisusername:hisusername. His home dir(/home/user/) is chmoded to 755 and his /public_html to 711. It worked fine but after that I installed phpbb3 forum and when I tried to chmod config.php to 600 I got an error on the forum:
Fatal error: require() [function.require]: Failed opening required './config.php' (include_path='.:/usr/local/lib/php') in /home/username/public_html/common.php on line 127
When I was using lsws with apache conf file and I had configured suEXEC + suPHP for apache I was able to chmod config file to 600 and it worked fine. I have no idea what could be the problem now.
It works fine when I chmod config.php to 755 but for security reasons I would need a way to configure it to 600.
LiteSpeed si running as nobody:nobody.
EX. APP settings:
LSAPI App
$VH_NAME_lsphp
uds://tmp/lshttpd/$VH_NAME_lsphp.sock
SCRIPT HANDLER settings:
Suffix: php5
Type: LiteSpeed API
Name: [VHost Level]: $VH_NAME_lsphp
View 7 Replies
View Related
Feb 8, 2008
what are suexec / suphp and for what purpose we use it.
View 1 Replies
View Related
Mar 15, 2008
I have a problem in the last apache upgrade (apache 2.2.8 + php5) step .
exactly in "Configure Suexec and PHP"
I found this option doesn't have multi values as CGI or Suphp just I found none :
PHP 5 Handler none
PHP 4 Handler none
I must to return to build apache1 with php4 for I can see suphp and cgi in "Configure Suexec and PHP" "PHP 4 Handler" option .
View 5 Replies
View Related
May 11, 2008
Is there any which works with this turned on?
View 3 Replies
View Related