zoli do something about this also !

Web page creation, programs, scripts, PHP, SQL?

Moderator: Moderators

Postby naveed » Sat Jul 31, 2004 5:19 pm

Hi zoli,

I really appreciate you to run such services.I am new to this community.And was just reading the post about "" PHP safe_mode ""

In my opinion you should not enable it on at least free accounts.
Thats just a suggestion , it depends on you. :):)

In the meantime i have found some slight problem and i think i should point out it ,, even on the servers PHP is running under safe mode and phpinfo() is saying that socket functions are disabled

<a href='http://www.polarhome.com:793/~naveed/phpinfo.php' target='_blank'>http://www.polarhome.com:793/~naveed/phpinfo.php</a>

But i have noticed that some socket functions are still working , I think you should re-consider them .Because PHP is compiled with --enable-sockets.
And anyone can use them for malicious purposes ...

(Note:- dont think I m too among those spammers,only I am in hobby of testing things like this)

as an example take a look at this page ...

<a href='http://www.polarhome.com:793/~naveed/test.php' target='_blank'>http://www.polarhome.com:793/~naveed/test.php</a>


regards

naveed@php.net
naveed
Newbie
 
Posts: 8
Joined: Sat Jul 31, 2004 4:17 pm

Postby zoli » Tue Aug 03, 2004 11:58 pm

hi,

seems you have a good connections with php.net.
If you help me to configure system that satisfies following requirements:
- php users run php with their UID/GID
- just shell users can have access to mail() and socket functions

than I will be happy to open polarhome with safe_mode=off etc.
Regards,
Z
---
Zoltan Arpadffy
zoli
Forum Admin
Forum Admin
 
Posts: 785
Joined: Mon Sep 30, 2002 1:27 am
Location: Stockholm, Sweden

Postby miker_alpha » Wed Aug 04, 2004 8:24 pm

ATT: Zoli
Please note that (I think...) safe_mode has been left OFF on Alpha.Polarhome.com.

However, to make up for this CGI is not enables in users directories.
There was a thread about it <a href='http://www.polarhome.com/forum/index.php?showtopic=652&st=0&#entry4582' target='_blank'>here.</a>
(note esp. my posts of 30th June)

Of course I could be wrong :( about this!

MikeR
Look for OpenVMS help on my webpage
Check for QOTD here.
Image
User avatar
miker_alpha
Moderator
Moderator
 
Posts: 256
Joined: Sat May 08, 2004 9:20 am
Location: Kibbutz Tzora, Israel

Postby naveed » Fri Aug 06, 2004 3:33 pm

hi zoli,

As far as your first question that PHP should run under the user's UID/GID , yes it is possible.
For this to work you should have to install PHP as a CGI binary (compile with --enable-force-cgi-redirect),
it means that PHP will no longer run as Apache module.On high rate of hits this may slow down the speed.You may find its advantages/disadvantages at this url
<a href='http://www.php.net/manual/en/security.cgi-bin.php' target='_blank'>http://www.php.net/manual/en/security.cgi-bin.php</a>

Secondly you want to compile the apache with suExec enabled (if it is not already)

you can find how to compile apache with suExec option and its configuration settings here
<a href='http://httpd.apache.org/docs/suexec.html' target='_blank'>http://httpd.apache.org/docs/suexec.html</a>

Once apache is compiled with suExec wrapper you have to make some changes to your httpd.conf file,you have to change the Options directive as
Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI

The main thing about this is now all the PHP scripts should have executable permissions to work.
To avoid the downside of writing
#!/usr/bin/php
at top of each php script , I think you can avoid this by creating a sym link in your /cgi-bin/ directory of Apache .Make this link point to php binary installed in the system, and add the following lines in the httpd.conf files

AddHandler php4-script .php
Action php4-script /cgi-bin/php

A complete article article for configuraing Linux Debian in this way is available here
<a href='http://www.debianhowto.de/howtos/en/php_cgi/c_php_cgi.html' target='_blank'>Debian HowTo</a>

Now the resluting scripts will run under the requested user's UID/GID

Your second question is about disabling the mail and socket functions.
Unfortuantely there is no good way to do this neatly ( there are poor tricks which are also resource consuming).One suggestion is to make some changes in the source code and re-compile PHP for yourself ,since now PHP will run under UID of user you can consider what functions would be allowed to this user.Another one is to re-load different php.ini file for each user call so that each user can have different settings(this is worst).
Although I have not tested it anywhere but I hope this will work for at least mail() function.
That is change the sendmail_path in php.ini or httpd.conf and place some shell script which will check whether the caller has rights (means a shell user) and then direct it to the correct sendmail path, otherwise just to /dev/null etc..This way at least the user cannot send mails.

or let me give some time if i can put some better suggestion :)
naveed
Newbie
 
Posts: 8
Joined: Sat Jul 31, 2004 4:17 pm

Postby sjaz » Fri Aug 06, 2004 8:52 pm

I think your inputs are very good and i thank you for helping.
User avatar
sjaz
Forum Admin
Forum Admin
 
Posts: 694
Joined: Fri Feb 14, 2003 11:08 pm
Location: London, UK


Return to Web development

Who is online

Users browsing this forum: No registered users and 14 guests