Hi all again Is there a way to force resellers and clients to use php in safe mode? I've just look documentation and previous posts, of course, but I found nothing, sorry!
No, currentyl you cant force them. The only solution might be to change the ISPCOnfig scripts to always enable php safemode.
what is this safe mode of which you speak? it sounds important or like it could be a security issue. could someone's crappy php code crash my server?
This means the php safemode option. If you check the "php safemode" checkbox in ISPConfig, all php scripts where restricted to run in the web directory of this site. Then access to files outside of the web directory where disabled and the site has its own temp directory for PHP files. Its recommended to enable safemode if you enable php.
I'm just looking... it seems quite complex... can someone give me any help? I have an idea... I may use an external script that updates the table isp_isp_web.web_php_safe_mode... Is it a good idea? Do I need to do something after all, to activate the configuration? I have another idea... what happens if I manually change the global php.ini, setting safe_mode = On? With both first and third solutions, I can't have exceptions, but with second solution, I can leave web_php_safe_mode to 0... i think this is more interesting...
No, not a good idea... You should have a look at /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_web.lib.php. It has no effect on the web sites created by ISPConfig because if PHP Safe Mode is disabled for a web site in ISPConfig, then ISPConfig writes some directives into the vhost that disable PHP Safe Mode, no matter what's in php.ini.
I've just had a better idea: you could create a hostingplan in ISPConfig with PHP Safe Mode checked, and then create new web sites from that hostingplan. Then Safe Mode is enabled by default.
Ok, but the reseller can use individual settings too, isn't it? I have bad resellers I'll try to hack ispconfig_isp_web.lib.php, this seems the only solution... BTW, why the script idea is bad?
Because you do the changes after the initial configuration has been written. It's not only that you update the PHP Safe Mode field in the database, but you also have to set the status of the corresponding web site to u, and then you have to create an empty file /home/admispconfig/ispconfig/.run; the existence of this file makes the ISPConfig backend rewrite the configuration files. It's a little bit tricky...
Then I need a script that: 1) updates php_safe_mode field 2) if updated: update web site's status field 3) if updated: touch /home/admispconfig/ispconfig/.run & chmod admispconfig? I'll try, thank you
Yes, but i think you dont have to chmod the .run file, as it is deleted by a process with root priveliges. But your approach has one drawback. Updating the config files can take a lot of resources if you have many sites, so doing this twice might be a problem on large installations.
I thought I might revive a long since "dead" thread. Are there any easy ways in recent ispconfig versions to force resellers to have safe_mode on ?
Ive solved this temporarily by forcing php-cgi on all accounts and with higher security requirments. Ill be doing a pentest on the ISPconfig installations in the future to see more can be improved. Modify umask settings etc for new users.
