LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-25-2006, 09:19 AM   #1
bin_asc
Member
 
Registered: Aug 2006
Distribution: CentOS
Posts: 35

Rep: Reputation: Disabled
Lightbulb Workaround safe_mode - I`m using cPanel - do the experts here have a solution ?


I am running several dedicated server boxes, with cPanel installed, php 4.4.4. I want to disable safe_mode in php, but in the meantime, I need to find a solution to get protected from shell scripts, like the big hosters do, aka Godaddy, and other hosts. I used once a shell script on my server, with safe_mode off, and the only way to get protected at that time, was to use safe_mode on. But alot of users are complaining. And I am too frankly. Alot of scripts don`t work well or don`t work at all with safe_mode on. I need a good solution.Any linux super guru here, that has a solution, and it`s free ???
I need that solution to be global. I have alot of users, and I can`t do manual virtual host edits, because it`s alot of work.If that is the only solution, I would like to hear it out though.

Regards,
Adrian
 
Old 08-26-2006, 08:32 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
First of all I ain't no "GNU/Linux super guru" so YMMV(VM). I think the first thing is to manage your (and your boxens users) expectations a bit: a choice for securing a box IMHO is a choice for protecting things you depend on or can't (easily) rebuild or can not replace: stability, reliability, time invested, good company image, like that. Given the fact boxen these days more often than not are compromised (easily) by all the "fun" PHP and PHP-based applications give us, wanting maximum flexibility but not "common sense" security enhancing restrictions is a fallacy. Safe_mode, while clearly imperfect, is a "common sense" adjustment just like register_globals etc, etc you have to make (until new PHP versions disable it by default or don't need that anymore to work relatively "safe"). Period. Secondly security is a continuous process of auditing and adjusting. Asking for something that requires not much work and have it working out of the box shows seems misplaced to me. With all due respect, but if you are more concerned with the amount of work you will have to put in instead of the security posture of the box you probably don't care for stability, reliability, etc, etc.

I should emphasise the base, the system itself, should be updated when updates are released and hardened properly before. Without that investing time in working on safe_mode alternatives is a waste of time and gives a false sense of security. I also should mention that none of this can protect the system from the effects of vulnerabilities, coding flaws or trickery like SELinux or GRSecurity's RBAC can.

Safe_mode checks if files to be opened (or included) have the same UID or GID as the starting script. For CGI ops Apache has suexec and for mod_php there's suPHP and PHPsuexec. Another alternative (because SuPHP seems not without flaws) is to use Apache's fastcgi: you'll have to compile php-cgi with fastcgi support and Apache with suexec for this to work. Running PHP as CGI implies a performance drop which you accept as trade-off between flexibility and security.

In closing I think any of these could provide a workable solution if you use common sense, test before you deploy and read before you test, HTH.

Last edited by unSpawn; 08-26-2006 at 08:33 AM.
 
Old 08-26-2006, 09:00 AM   #3
bin_asc
Member
 
Registered: Aug 2006
Distribution: CentOS
Posts: 35

Original Poster
Rep: Reputation: Disabled
I do understand what you are saying, I must have been working hard that day, and my brain was severely malfunctioning. The fact is that I do want to secure my box, and to provide my customers good, stable, robust and secure hosting. I want them to be able to install common scripts, like forums, billing scripts ( for resellers ), and other good scripts, even if securing would cause a small drop in performance.
I do want to invest time do get something working real good.I found some sites like hardened-php, and some others. I want to get good solutions, and something that can explain the process, because I still want to learn. If it`s manual work involved, even better. I can learn by actually doing the process multiple times on my boxes.I wait for you good replies

Regards
 
Old 08-27-2006, 07:21 AM   #4
edman007
Member
 
Registered: Sep 2003
Distribution: slackware-current
Posts: 173

Rep: Reputation: 30
people will always complain about safe mode, it disables lots of things that may be useful and a security risk, it effectively allows you to offer cheaper hosting by limiting features, i consider it a trade off for price, if they really don't like safe_mode then they should go somewhere else and pay more (maybe you could offer a plan for a bit more that disables safe mode, just spend more effort monitoring those servers)

you can also look at these settings, you could for example enable safe mode an relax it quite a bit, also very few things even need to execute shell things, you could enable safe mode, relax the settings, and then disable all functions that can execute a shell script, billing/forums and most other things usually only need fopen_wrappers/file functions and db access, you may also decide to tighten up the file permissions on your server
 
Old 08-30-2006, 03:13 PM   #5
bin_asc
Member
 
Registered: Aug 2006
Distribution: CentOS
Posts: 35

Original Poster
Rep: Reputation: Disabled
Yes, but, for example, invision powerboard really annoys my clients, as they have numerous boards, and safe_mode does affect them. So I really, need a turnaround. Something, andything lol. Sorry, I just can`t find any solution, like Goddadys setup. How do they manage ? Anyone ever asked themselves that ? If you`re going to say they have the money power, well.... that`s true. But some other hosts manage with it off.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Chipset workaround? Wornout Linux - Desktop 3 08-10-2006 09:40 AM
php + safe_mode issue Ateo Linux - Software 1 06-03-2005 01:54 PM
Linux: By Experts - For Experts Cinematography General 10 05-12-2005 02:14 AM
I/O problem (workaround?) shengchieh Linux - Newbie 14 08-19-2004 01:07 PM
Is there a workaround? jpbarto Linux - Software 0 07-13-2003 10:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration