Page 1 of 1

vhost.conf settings for Plesk 10.3

Posted: Thu Nov 10, 2011 1:15 pm
by chrismcb
Hi,

I've previously used vhost.conf settings for older Plesk versions, however I'm trying to change the php_admin_value of disable_functions to allow exec to run on a specific domain.

I edit the vhost.conf file, reconfigure the domain and restart apache, but the limit is still in place.


Has this changed for v10?

Re: vhost.conf settings for Plesk 10.3

Posted: Fri Nov 11, 2011 5:28 am
by breun
According to http://php.net/manual/en/ini.core.php disable_functions can only be configured in php.ini, so you can't overwrite it in Apache configuration.

Re: vhost.conf settings for Plesk 10.3

Posted: Fri Nov 11, 2011 5:36 am
by chrismcb
Ahhh... thanks Breun

I'm installing a new webmail (roundcube), which has plugins for Plesk that allows users to configure their Auto Responder and email forwarding.

The plugin was created by someone else to use the CLI methods that Plesk provides.


exec is not a function that I'd particularly like to open up server-wide, are there any other ways to allow this on a single domain?

Re: vhost.conf settings for Plesk 10.3

Posted: Fri Nov 11, 2011 5:41 am
by biggles
suhosin ought to fix it. Faris has replied to a thread with his setup. But that setup makes you allow it globally and then disable it globally with suhosin. This makes ASL complain it is a High risk. But you know you are safe, except for the domains where you specifically enables it.

Re: vhost.conf settings for Plesk 10.3

Posted: Fri Nov 11, 2011 6:46 am
by breun
I think you mean Suhosin?

Re: vhost.conf settings for Plesk 10.3

Posted: Fri Nov 11, 2011 7:04 am
by chrismcb
Thanks, found it.

Before going to the trouble of setting this up, I thought I'd enable exec temporarily to test the feature out.

I'm not too sure about it... it needs to run the command:

Code: Select all

sudo /opt/psa/bin/autoresponder -i -mail chris@abc123.com
Currently giving an error log of:

Code: Select all

sudo: apache : no tty present and no askpass program specified ; TTY=unknown ; PWD=/var/www/vhosts/abc123.com/httpdocs/webmail ; USER=root ; COMMAND=/opt/psa/bin/autoresponder -i -mail chris@abc123.com
If I add the below to /etc/sudoers, it should work.

Code: Select all

apache ALL=NOPASSWD: /opt/psa/bin/autoresponder

But do you think this is too much of a security risk?

Re: vhost.conf settings for Plesk 10.3

Posted: Sat Nov 12, 2011 2:27 am
by biggles
breun wrote:I think you mean Suhosin?
Oups! As usual breun is right! Thanks for the correction!

Re: vhost.conf settings for Plesk 10.3

Posted: Thu Nov 17, 2011 11:09 am
by chrismcb
OK, I've configured everything and it's working fine - I now have Roundcube installed with custom Plesk plugins allowing Autoresponders and Passwords to be set.

I installed suhosin and configured it to block the following functions:

Code: Select all

suhosin.executor.func.blacklist = dl,exec,leak,passthru,pfsockopen,popen,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,pos,shell_exec,url_include,curl_multi_exec,ftp_exec,pcntl_exec,phpinfo,posox_setuid,proc_close,proc_get_status,proc_nice,proc_terminate,show_source,system$
Based on the initial list given by faris at http://www.atomicorp.com/forums/viewtop ... sin#p31634

I turned of PHP checking in ASL to allow suhosin to deal with that for me.


The scripts required access to the plesk autoresponder command via the CLI - so I added apache to the sudoers file for that command only:

Code: Select all

apache ALL = NOPASSWD: /usr/local/psa/bin/autoresponder
I enabled exec for in vhost.conf for the domain where the webmail is currently located and everything works great.


Can anyone spot any glaring security issues here? or functions that perhaps should be disabled server wide that I've missed?



Thanks

Re: vhost.conf settings for Plesk 10.3

Posted: Thu Nov 17, 2011 11:58 am
by breun
chrismcb wrote:or functions that perhaps should be disabled server wide that I've missed?
Check the PHP settings in /etc/asl/config for the risky PHP functions according to ASL.

You disabled 'pos' and 'posox_setuid', which don't exist AFAIK. Typo?

url_include is also not a PHP function AFAIK. I think you wanted to disable allow_url_include? This is not a PHP function, but a PHP configuration setting. You'll want to set PHP_URL_INCLUDE="no" in /etc/asl/config and run asl -s -f, which will set allow_url_include = "no" in /etc/php.ini.

Re: vhost.conf settings for Plesk 10.3

Posted: Thu Nov 17, 2011 3:57 pm
by chrismcb
Thanks, yep - a typo - and was flagged by PHP in /var/log/messages

So far, so good - everything is working as it should and i'm getting through all the setting tweaks i've had to make to allow scripts to operate as they should (request size, memory limit...).

Re: vhost.conf settings for Plesk 10.3

Posted: Wed Nov 23, 2011 9:39 am
by chrismcb
I've now managed to replace Atmail Open with Roundcube, but symlinking its directory from the webspace that it resides in has meant that the Suhosin php options added to the webspace vhost settings don't apply to the actual webmail vhost.

e.g. www.website.com/webmail - the vhost settings of website.com have been changed and allow everything that's required.
Going to webmail.website.com, doesnt use the same vhost.conf settings.


Can anyone advise as to where I can find these settings to alter them?

Re: vhost.conf settings for Plesk 10.3

Posted: Thu Nov 24, 2011 8:40 am
by chrismcb
Found it... If you edit the configuration template for atmail.php, you can have full control over the vhost.conf settings:

Code: Select all

/usr/local/psa/admin/conf/templates/default/atmail.php
After editing, reconfigure the domains for it to take effect:

Code: Select all

/usr/local/psa/admin/sbin/httpdmng --reconfigure-all