Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-25-2006, 09:19 AM
|
#1
|
Member
Registered: Aug 2006
Distribution: CentOS
Posts: 35
Rep:
|
Workaround safe_mode - I`m using cPanel - do the experts here have a solution ?
I am running several dedicated server boxes, with cPanel installed, php 4.4.4. I want to disable safe_mode in php, but in the meantime, I need to find a solution to get protected from shell scripts, like the big hosters do, aka Godaddy, and other hosts. I used once a shell script on my server, with safe_mode off, and the only way to get protected at that time, was to use safe_mode on. But alot of users are complaining. And I am too frankly. Alot of scripts don`t work well or don`t work at all with safe_mode on. I need a good solution.Any linux super guru here, that has a solution, and it`s free ???
I need that solution to be global. I have alot of users, and I can`t do manual virtual host edits, because it`s alot of work.If that is the only solution, I would like to hear it out though.
Regards,
Adrian
|
|
|
08-26-2006, 08:32 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
First of all I ain't no "GNU/Linux super guru" so YMMV(VM). I think the first thing is to manage your (and your boxens users) expectations a bit: a choice for securing a box IMHO is a choice for protecting things you depend on or can't (easily) rebuild or can not replace: stability, reliability, time invested, good company image, like that. Given the fact boxen these days more often than not are compromised (easily) by all the "fun" PHP and PHP-based applications give us, wanting maximum flexibility but not "common sense" security enhancing restrictions is a fallacy. Safe_mode, while clearly imperfect, is a "common sense" adjustment just like register_globals etc, etc you have to make (until new PHP versions disable it by default or don't need that anymore to work relatively "safe"). Period. Secondly security is a continuous process of auditing and adjusting. Asking for something that requires not much work and have it working out of the box shows seems misplaced to me. With all due respect, but if you are more concerned with the amount of work you will have to put in instead of the security posture of the box you probably don't care for stability, reliability, etc, etc.
I should emphasise the base, the system itself, should be updated when updates are released and hardened properly before. Without that investing time in working on safe_mode alternatives is a waste of time and gives a false sense of security. I also should mention that none of this can protect the system from the effects of vulnerabilities, coding flaws or trickery like SELinux or GRSecurity's RBAC can.
Safe_mode checks if files to be opened (or included) have the same UID or GID as the starting script. For CGI ops Apache has suexec and for mod_php there's suPHP and PHPsuexec. Another alternative (because SuPHP seems not without flaws) is to use Apache's fastcgi: you'll have to compile php-cgi with fastcgi support and Apache with suexec for this to work. Running PHP as CGI implies a performance drop which you accept as trade-off between flexibility and security.
In closing I think any of these could provide a workable solution if you use common sense, test before you deploy and read before you test, HTH.
Last edited by unSpawn; 08-26-2006 at 08:33 AM.
|
|
|
08-26-2006, 09:00 AM
|
#3
|
Member
Registered: Aug 2006
Distribution: CentOS
Posts: 35
Original Poster
Rep:
|
I do understand what you are saying, I must have been working hard that day, and my brain was severely malfunctioning. The fact is that I do want to secure my box, and to provide my customers good, stable, robust and secure hosting. I want them to be able to install common scripts, like forums, billing scripts ( for resellers ), and other good scripts, even if securing would cause a small drop in performance.
I do want to invest time do get something working real good.I found some sites like hardened-php, and some others. I want to get good solutions, and something that can explain the process, because I still want to learn. If it`s manual work involved, even better. I can learn by actually doing the process multiple times on my boxes.I wait for you good replies
Regards
|
|
|
08-27-2006, 07:21 AM
|
#4
|
Member
Registered: Sep 2003
Distribution: slackware-current
Posts: 173
Rep:
|
people will always complain about safe mode, it disables lots of things that may be useful and a security risk, it effectively allows you to offer cheaper hosting by limiting features, i consider it a trade off for price, if they really don't like safe_mode then they should go somewhere else and pay more (maybe you could offer a plan for a bit more that disables safe mode, just spend more effort monitoring those servers)
you can also look at these settings, you could for example enable safe mode an relax it quite a bit, also very few things even need to execute shell things, you could enable safe mode, relax the settings, and then disable all functions that can execute a shell script, billing/forums and most other things usually only need fopen_wrappers/file functions and db access, you may also decide to tighten up the file permissions on your server
|
|
|
08-30-2006, 03:13 PM
|
#5
|
Member
Registered: Aug 2006
Distribution: CentOS
Posts: 35
Original Poster
Rep:
|
Yes, but, for example, invision powerboard really annoys my clients, as they have numerous boards, and safe_mode does affect them. So I really, need a turnaround. Something, andything lol. Sorry, I just can`t find any solution, like Goddadys setup. How do they manage ? Anyone ever asked themselves that ? If you`re going to say they have the money power, well.... that`s true. But some other hosts manage with it off.
|
|
|
All times are GMT -5. The time now is 08:21 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|