Turn off safe mode for the main directory

[Orangi]

Hello

At the moment I'm running my sever on the main IP wiht all files in the /var/www/vhosts/default/htdocs directory.
I turned off safe_mode in the httpd.conf
If I take a look at php info it tells me that the Master Value safe_mode is Off.
But the Local Value safe_mode is still On.
How can I turn it also off?

Thanks

 

[IgorG]

Try to use /usr/local/psa/bin/domain with -php_safe_mode option. (--help option for details)

 

[Lluisr]

can't change safe_mode var

hello

I tried a lot of things to turn off my local safe_mode var and nothing...

about /usr/local/psa/bin/domain with -php_safe_mode option, waht exactly we have to do

i vi domain file and I have codification problems

thnx!

 

[PerKn]

Same problem

I have a similar issue: I have domains redirected to the servers IP which redirects hits to /var/www/vhosts/default/htdocs

This folder runs PHP code which requires safe_mode to be turned OFF. safe_mode is off globally, but on locally and I am unable to find out how to disable it. I've tried .htaccess, created a vhosts.conf in a new default/conf/ directory. To no avail.

I already tried Igor's suggestion above, like this:
# /usr/local/psa/bin/domain -u default -php_safe_mode false
Wrong syntax for command's "--update" parameter

The domain command seems to check if the domain is valid (e.g. default is not, but default.com is). So, Igor, how can we use domain command to fix this? Is there another way?

Thanks!

 

[PerKn]

Ok. I found what appears to be a short-term solution, at least:

In /etc/apache2/conf.d/zz010_psa_httpd.conf
change to safe_mode Off

Restart apache: /etc/init.d/apache2 restart

phpinfo() now reports both the local and master values of safe_mode to be Off.

However, I presume this change wont survive mucking around with domains in Plesk, right? Will Plesk eventually overwrite these changes? Any way to make them permanent?

 

[PerKn]

I should add that my code actually also runs fine now
change above seems to solve your problem Lluisr

 

[Lluisr]

yes i found it too
in file '/usr/local/psa/admin/conf/generated/xxxxxxxx.xxxxxxx_server.include'

sorry i put it in some sites and dont write here

thnx anyway

 

[Daga++]

I'm having the same problem on 10.4. There are even global and site-specific "safe_mode" settings in the control panel. Why won't safe_mode DIE?

 

[breun]

Why won't safe_mode DIE?

If it makes you feel any better: safe mode will be gone in PHP 5.4.

 

[Daga++]

If it makes you feel any better: safe mode will be gone in PHP 5.4.

I know, but it is generating warnings in my command-line usage now in 10.3 and 10.4 (imagine 10 minute intervals with monitored Crontab entries -- an email each time). It also interferes with the backtick operators and exec(), which are important pieces of this website since PHP can not do everything.

Since Safe Mode is forced to be on, I have to assume that there is a reason for this with a security implication... which means an immediate security audit on my part. I would almost be better off managing this domain by hand.

Partial Fixes:

The crontab entries can be made silent by commenting out safe_mode in /etc/php.ini, and this is a temporary work-around for Safe Mode in Apache:

# find /var/www/vhosts/[sub.domain]/conf -name '*.include' -exec sed -i "s/safe_mode on/safe_mode off/g" '{}' \;
# service httpd restart

Unfortunately the latter gets overwritten any time that the configuration files are rebuilt by Plesk.

 

[breun]

Never edit those *.include files. You can use vhost.conf for overrides. But you can just disable safe mode in Plesk, right? I think you could even use php -d safe_mode=off <php-script> as your cronjob command to disable safe mode for just that command.

I have to say that allowing exec() is probably a much bigger security implication than disabling safe mode.

 

[Daga++]

Never edit those *.include files. You can use vhost.conf for overrides.

I had tried creating a vhost.conf file in the same directory those *.include files were located in. Rebuilt the config (/usr/local/psa/admin/sbin/httpdmng --reconfigure-domain [sub.domain]) and restarted Apache. It failed to do anything. Here's what I have right now:

<Directory /var/www/vhosts/[domain]/[subdomain]>
php_admin_value safe_mode off
php_admin_value open_basedir none
</Directory>

But you can just disable safe mode in Plesk, right?

For the main domain, yes, and I have verified the *.include files for it. This does not work for the subdomain.

I think you could even use php -d safe_mode=off <php-script> as your cronjob command to disable safe mode for just that command.

Probably. I was looking for a way to kill all of these birds with one stone.

I have to say that allowing exec() is probably a much bigger security implication than disabling safe mode.

Eh, kindof. For stability reasons the code ensures that generated *.php files will pass a lint check after they are written. Think of it as a sanity check on file caching. PHP used to have a function called php_check_syntax() which was removed. The newer runkit_lint_file() might replace it except that runkit is not always available.

There are also times when thumbnails need to be generated from video files. FFMPEG and MPlayer work well from the command line. A module does exist for PHP/FFMPEG, but it is old and in my tests FFMPEG will fail to generate a thumbnail with certain codecs anyway (which is where MPlayer becomes useful).

There are valid reasons for exec(), if the parameters are escaped properly. I can vouch for the escaping in this code base, but this is not the only server that it runs on... so it can't rely on a fully customized environment.

 

[Daga++]

Update: I found the "PhpSettingsParameters" table in the "psa" database. There was one entry for "safe_mode" that was set to "on." That makes it pretty obvious in my situation, but how would someone else correlate the "id" column to a hosted sub/domain?

 

[breun]

I had tried creating a vhost.conf file in the same directory those *.include files were located in. Rebuilt the config (/usr/local/psa/admin/sbin/httpdmng --reconfigure-domain [sub.domain]) and restarted Apache. It failed to do anything. Here's what I have right now:

<Directory /var/www/vhosts/[domain]/[subdomain]>
php_admin_value safe_mode off
php_admin_value open_basedir none
</Directory>

I think this won't work, because the settings in the .include file apply to a more specific directory (something like /var/www/vhosts/[domain]/[subdomain]/httpdocs), so they will override whatever you set for /var/www/vhosts/[domain]/[subdomain]. I think you'll need to change the directory to the specific document root and not one directory up.

Also, for security reasons I recommend to never set open_basedir to none. It's safer to just add the specific directories your code needs to acces to the default open_basedir path.

 

[Daga++]

I think this won't work, because the settings in the .include file apply to a more specific directory (something like /var/www/vhosts/[domain]/[subdomain]/httpdocs), so they will override whatever you set for /var/www/vhosts/[domain]/[subdomain]. I think you'll need to change the directory to the specific document root and not one directory up.

There isn't an "httpdocs" directory under /var/www/vhosts/[domain]/[subdomain]. I had tried /var/www/vhosts/[subdomain].[domain]/httpdocs. That directory exists, but whether it is an effect of my upgrade to the latest version (or not) I don't know. It does not contain any of the subdomain's files, and using that path had not worked either.

Also, for security reasons I recommend to never set open_basedir to none. It's safer to just add the specific directories your code needs to acces to the default open_basedir path.

Good point. The code had been written to access /dev/null. I patched it to create an empty file within DOCUMENT_ROOT instead.

 

[breun]

There isn't an "httpdocs" directory under /var/www/vhosts/[domain]/[subdomain]. I had tried /var/www/vhosts/[subdomain].[domain]/httpdocs.

What directory is the subdomain's document root?

 

[Daga++]

Here is the directory structure as far as I understand it being relevant:

/var/www/vhosts/[domain]/httpdocs -- domain's *.php files
/var/www/vhosts/[domain]/conf -- domain's *.include files
/var/www/vhosts/[domain]/[subdomain] -- subdomain's *.php files
/var/www/vhosts/[subdomain].[domain]/conf -- subdomain's *.include files

I've placed the vhost.conf file in [domain]/conf and [subdomain].[domain]/conf... neither one seems to work, although most of my testing has been in [subdomain].[domain]/conf.

UPDATE: The version of Plesk was in the 10.3 range when I started, and I updated it to 10.4.4 a few days ago.

 

[breun]

The vhost.conf should probably be in /var/www/vhosts/[subdomain].[domain]/conf, I guess. Check the latest *_httpd.include file in /var/www/vhosts/[subdomain].[domain]/conf, it should have an Include statement for /var/www/vhosts/[subdomain].[domain]/conf/vhost.conf* near the end of the file. Is that correct?

 

[Daga++]

Yes, that is correct. The use of "vhost.conf*" is very interesting...