I am going to run a free host, yes I know I should post this in FWHT but well, they dont answer very fast if at all.
It is very dangerous to have Safe Mode OFF on a free host, but someone was telling me about open_basedir, which makes it so they cant touch any files set outside of open_basedir. Would this be suffiecient to keep them from touching others files? I know I need to disable other functions like exec() and stuff but would open_basedir keep hackers away from others files and hacking them...
i need to enable php safe mode on for my joomla and i came across this
Quote:
When the php safe mode is turned off globally by default at our server end, you can still override the setting to turn it ON for only your domain by just insert the following line inside the ".htaccess" file (at Linux server):
Code:
php_value safe_mode "1"
my joomla .htaccess file:
Quote:
## # @version $Id: htaccess.txt 10492 2008-07-02 06:38:28Z ircmaxell $ # @package Joomla # @copyright Copyright (C) 2005 - 2008 Open Source Matters. All rights reserved. # @license http://www.gnu.org/copyleft/gpl.html GNU/GPL # Joomla! is Free Software ##
##################################################### # READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE # # The line just below this section: 'Options +FollowSymLinks' may cause problems # with some server configurations. It is required for use of mod_rewrite, but may already # be set by your server administrator in a way that dissallows changing it in # your .htaccess file. If using it causes your server to error out, comment it out (add # to # beginning of line), reload your site in your browser and test your sef url's. If they work, # it has been set by your server administrator and you do not need it set here. # #####################################################
## Can be commented out if causes errors, see notes above. Options +FollowSymLinks
# # mod_rewrite in use
RewriteEngine On
########## Begin - Rewrite rules to block out some common exploits ## If you experience problems on your site block out the operations listed below ## This attempts to block the most common type of exploit `attempts` to Joomla! # # Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR] # Block out any script that includes a <script> tag in URL RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2}) # Send all blocked request to homepage with 403 Forbidden error! RewriteRule ^(.*)$ index.php [F,L] # ########## End - Rewrite rules to block out some common exploits
I have a script that needs safe mode off to run, the script writers have said safe mode is disabled as default and not required and even disabled in php 6
Now I'm not to fimular with Safe mode, all I know is most scripts are wrote to work with this on
Should i switch safe mode on or off . Right now i am using it as on some one told me if i switch it off then server can easily hack but becoz i switch it on im having too much problem specially users of sites having problem of uploading and wordpress also have issue and some more script what you say what should i do?
I would like to know as to whether or not you have php safe mode turned on? If you do, please specify why, and would you allow your clients to turn it off?
I have found on one webhost that they have very cool feature:
Here is what they say:
Quote:
Browsing through any webhost related forum will reveal that giving safe mode off poses extreme security risk to the server. Because it offers hackers a great advantage to access any other members account or read their sensitive files which usually contain passwords.
But then some genuine scripts won't work with safe mode ON. Meaning you could turn it on per member requests but that takes lots of labor.
So we completely reprogrammed the safe mode PHP source code and recompiled it. As a result ours safe mode OFF is light-years safer & hacker-proof then standard PHP v5 safe mode ON.
So all our members are getting safe mode OFF, with harder security then those hosts who offer Safe Mode ON.
So now I am wondering, how they did that? I have searched forums and Google for lots of different keyword but haven't found anything.
I believe a lot of you running Apache as nobody and having php save mode OFF. It there any way you protect yourself? phpsuexec is not a solution now as it increasing load.
i have vps and i enable the safe_mode , but now i need to turn it off becouse i need to install image uploader script and this script need safe mode off to work
so,
what can i do to secure my server while i turn off my safe mode?
I've recently upgraded from Shared hosting to a VPS. I'm currently getting my new VPS setup before migrating my site over. On my shared server, both the global and local safe_mode directives were reported as off by php_infO(). On ym new server, the global is reported as off, but local is reported as on.
On my old server, the PHP was version 4.4.9 running as a CGI. On my new server, PHP 5.1.6 is running as an Apache 2.0 Handler.
I have already set safe_mode to off in my global php.ini file (hence why global is reported by off). However, I have no local php.ini files, htaccess files, or php directive settings in place, so I cannot figure out why local is set to on!
I've tried editing httpd.conf to include "php_admin_flag safe_mode Off", though I'm not certain I put it in the right place. There is only one website on this server.
With the CGI php on my old server, I was able to create a local php.ini file to overwrite global directives, but that seems to have no effect with the Apache Handler on my new server.
what are the most important issues for secure php.ini file like when you turn your SAFE_MODE ON or OFF?
or please who every read this topic to post his important disable_functions in php.ini ... and if some functions disable to post it ...
let's make this subject for the most important issues for secure your php.ini
from script-kids as we can ...
here i have some important question's for anyone has or controlling a server ; vps ....
#0x01 ; what the most important disable_functions for the php.ini? #0x02 ; is the safe_mode should be enabled? or disable? and this depend on what exacly? #0x03 ; what the functions or any trick to control the nobody ( attacker on the server or shell ) FROOZ .... didn't move ? or make any command in the server ... #0x04 ; i saw in some secure server ( as they say ) they changed the Server : discribe to them name[s] like Server : SECURE BY US .COM OR SECURE SERVER .. uname -a : Linux secure.secure.com 2.6.9-023stab040.1 #1 Mon Jan 15 23:24:32 MSK 2007 i686 athlon i386 GNU/Linux sysctl : linux 2.6.9-023stab040.1 Server : SECURE BY US ! < [THIS WHAT I MEAN HOW COULD WE CHANGE IT IN PHP.ini ?] id : uid=99(nobody) gid=99(nobody) groups=99(nobody) <[how can we cannot make this nobody to have the host id ! everyhost in the server should have his own name and php.ini ?] pwd : /home/host/public_html/ #0x05 ; how can we hide the uname -a on the shell [ the attacker upload it to our customer site !] #0x06 ; how can we hide the sysctl to view to anyone like [ attacker ] ... #0x07 ; how can we rewrite on he Server Type the display for our secure message?Server : SECURE BY US ! #0x08 ; how can we give evey site and customer his php.ini file in his public_html? and how can we give him [ JUST HIS PERMISSION TO HIS SITES FOLDER AND NOT OTHER PATHS AND PERMISSION!]
these question every one had a server ; vps , need to know and secure his box from other ...
and anyone would like to publish any new [secure or not] idea please let us know what you would like to say ....
I decided to apply PHP safe mode to my servers, considering:
- I cannot prohibit using exec functions (some binary uses are needed, like host, mysqldump, etc..)
- I cannot restrict at all via UID/GID method at bins due to several problems..
Safe mode is the final sollution, as I only need "safe_mode_exec_dir" config to set a folder with the necesary binaries... this will stop nobody user (Apache) to exec whatever it wants, like perl, binaries uploaded to an public insecure folder (exploits), or anything else... people only could exec() the binaries I want and where I want. This will stop finally 95% of my hack problems.
Well. The problem is safe_mode is enabled or not, but you cannot set o disable certain features of this safe mode, like UID/GID checks (*******!)...
I am trying to configure so only "safe_mode_exec_dir" would apply, so:
- Including UIDs checks disabled by: safe_mode_include_dir = "/home/" (tested)
- Some variables set to NULL, as safe_mode_allowed_env_vars or safe_mode_protected_env_vars...
- safe_mode_exec_dir = "/usr/phpbin/" Great! with symbolic lynks in... the best sollution available for me.
- open_basedir = "/home/" (for fopen, etc...)
Ok ok.. but problems there.. by example this one:
Quote:
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 32015 is not allowed to access cache/dynamic_fields/modules.php owned by uid 99 in /home/yyyyyyyyy/public_html/chn/modules/DynamicFields/DynamicField.php on line 823
Great.. fopen is under UID/GID checks, but it is not an include, so safe_mode_include_dir would not apply...
Now fopen, link, unlink, etc.. functions are UID restricted and this seems to be impossible to disable.... pffffffff...
can you share your safe_mode configs or sollutions for this problem?
I've just upgraded my apache install to Apache 2.0.59 and PHP 4.4.6 and suddenly open_basedir has stopped working. I have an open_basedir setting in each vhost configuration that used to work fine on php 4.3.9, now upgraded it thinks there is no path specified and I'm getting the usual failures where my scripts are not allowed to write to a directory.
Has anyone else seen this or knows what's happening? I'm on 64-bit Centos 4.4
Assuming that an account on my server is hacked into, is open_basedir enough to protect other users on the same server? I would assume so, since php would not have access to those other accounts? Why is suphp needed?
Ofcourse, I also disabled dynamic loading of modules (apache) and added some disable_functions list.
when I make open_basedir effect in whm > security center
I have in my script this problem :
Warning: tempnam() [function.tempnam]: open_basedir restriction in effect. File() is not within the allowed path(s): (/home/xxxx/:/usr/lib/php:/usr/local/lib/php:/tmp) in /admincp/misc.php on line 685Warning: fwrite(): supplied argument is not a valid stream resource in /admincp/misc.php on line 688Warning: fclose(): supplied argument is not a valid stream resource in /admincp/misc.php on line 689
when I disable it I have this other one problem :
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 32010 is not allowed to access /tmp/vbthumbLTfVOk owned by uid ..
I can't correct configure the open_basedir. Safe_mode on server is enabled. Now path to accounts is: /var/www/webx/ . I would like change this path to /webx/ On server are some accounts. How can I do it?
What I did:
-> I set path in php.ini file (/etc/php4/apache2) in open_basedir = line to: /webx/ and /var/www/webx/ too. Without effect.
-> I added <Directory /webx/> php_admin_value open_basedir /webx/ </Directory>
in /etc/apache2/apach2.conf and /etc/apache2/confixx_mhost.conf
Without effect.
After any change I was restarting the apache service through /etc/init.d/apache2 restart, of course.
About the 29th of last month my crons quit working properly, they are still ran but they did nothing.. I finally found out that its giving me an open_basedir error...
I am trying to run the crons from /home/<user>/crons/... The first few lines of the PHP Code includes some required files that are used by the rest of the site...
However, when the cron is ran I get the following email...
Quote:
X-Powered-By: PHP/5.2.1 Content-type: text/html
Warning: include() [function.include]: open_basedir restriction in effect. File(/home/<user>/public_html/includes/common.php) is not within the allowed path(s): (0) in /home/<user>/public_html/live.php on line 7
Warning: include(/home/<user>/public_html/includes/common.php) [function.include]: failed to open stream: Operation not permitted in /home/<user>/public_html/live.php on line 7
Warning: include() [function.include]: Failed opening '/home/<user>/public_html/includes/common.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/<user>/public_html/live.php on line 7 test Notice: Undefined variable: db in /home/<user>/public_html/live.php on line 11
Fatal error: Call to a member function query() on a non-object in /home/<user>/public_html/live.php on line 11
WHM 11.11.0 cPanel 11.15.0-R17665 CENTOS Enterprise 4.5 i686 on standard - WHM X v3.1.0 Apache version1.3.39 (Unix) PHP version5.2.1 MySQL version4.1.22-standard
(Paths have the correct username, I replaced the usernames with <user>...)
I want to include script wpisz.php from /srv/www/vhosts/default/htdocs into /srv/www/vhosts/domena.pl/httpdocs/, but i recive this error:
Code: Warning: main() [function.main]: open_basedir restriction in effect. File(/srv/www/vhosts/domena.pl/httpdocs/wpisz.php) is not within the allowed path(s): (/srv/www/vhosts/default/htdocs:/tmp) in /srv/www/vhosts/default/htdocs/index.php on line 3
Warning: main(/srv/www/vhosts/domena.pl/httpdocs/wpisz.php) [function.main]: failed to open stream: Operation not permitted in /srv/www/vhosts/default/htdocs/index.php on line 3
Warning: main() [function.include]: Failed opening '/srv/www/vhosts/domena.pl/httpdocs/wpisz.php' for inclusion (include_path='.:/usr/share/php') in /srv/www/vhosts/default/htdocs/index.php on line 3
So, I ask you to help me to set it up (propably open_basedir) in that way in which will it work fine. But please.. use a simple language and describe the solution step-by-step because I'm not doing well whith this..
if i enable PHP open_basedir Tweak in cpanel, it disables all sites and none load, do note that the other tweak called Apache mod_userdir Tweak is also enabled.
Now i am wondering is if they both clash with each other to compete for the security ?
Anyone else noticed this also?
Info : WHM 11.15.0 cPanel 11.18.6-S24255 CENTOS Enterprise 5 i686 on standard - WHM X v3.1.0
Is there a way to configure the open_basedir to allow cURL to FOLLOW_LOCATION? I'd like to keep the open_basedir enabled for security but at the same time, I need my site to function properly and that's not a possibility with FOLLOW_LOCATION not working.
I am trying to use chdir() in one of my scripts. However, I am getting an open_basedir restriction error. I have checked the php.ini and the value is not set (which as I understand should disable open_basedir).