vhost.conf settings for Plesk 10.3

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

vhost.conf settings for Plesk 10.3

Unread post by chrismcb »

Hi,

I've previously used vhost.conf settings for older Plesk versions, however I'm trying to change the php_admin_value of disable_functions to allow exec to run on a specific domain.

I edit the vhost.conf file, reconfigure the domain and restart apache, but the limit is still in place.


Has this changed for v10?
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: vhost.conf settings for Plesk 10.3

Unread post by breun »

According to http://php.net/manual/en/ini.core.php disable_functions can only be configured in php.ini, so you can't overwrite it in Apache configuration.
Lemonbit Internet Dedicated Server Management
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: vhost.conf settings for Plesk 10.3

Unread post by chrismcb »

Ahhh... thanks Breun

I'm installing a new webmail (roundcube), which has plugins for Plesk that allows users to configure their Auto Responder and email forwarding.

The plugin was created by someone else to use the CLI methods that Plesk provides.


exec is not a function that I'd particularly like to open up server-wide, are there any other ways to allow this on a single domain?
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: vhost.conf settings for Plesk 10.3

Unread post by biggles »

suhosin ought to fix it. Faris has replied to a thread with his setup. But that setup makes you allow it globally and then disable it globally with suhosin. This makes ASL complain it is a High risk. But you know you are safe, except for the domains where you specifically enables it.
Last edited by biggles on Sat Nov 12, 2011 2:27 am, edited 1 time in total.
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: vhost.conf settings for Plesk 10.3

Unread post by breun »

I think you mean Suhosin?
Lemonbit Internet Dedicated Server Management
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: vhost.conf settings for Plesk 10.3

Unread post by chrismcb »

Thanks, found it.

Before going to the trouble of setting this up, I thought I'd enable exec temporarily to test the feature out.

I'm not too sure about it... it needs to run the command:

Code: Select all

sudo /opt/psa/bin/autoresponder -i -mail chris@abc123.com
Currently giving an error log of:

Code: Select all

sudo: apache : no tty present and no askpass program specified ; TTY=unknown ; PWD=/var/www/vhosts/abc123.com/httpdocs/webmail ; USER=root ; COMMAND=/opt/psa/bin/autoresponder -i -mail chris@abc123.com
If I add the below to /etc/sudoers, it should work.

Code: Select all

apache ALL=NOPASSWD: /opt/psa/bin/autoresponder

But do you think this is too much of a security risk?
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: vhost.conf settings for Plesk 10.3

Unread post by biggles »

breun wrote:I think you mean Suhosin?
Oups! As usual breun is right! Thanks for the correction!
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: vhost.conf settings for Plesk 10.3

Unread post by chrismcb »

OK, I've configured everything and it's working fine - I now have Roundcube installed with custom Plesk plugins allowing Autoresponders and Passwords to be set.

I installed suhosin and configured it to block the following functions:

Code: Select all

suhosin.executor.func.blacklist = dl,exec,leak,passthru,pfsockopen,popen,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,pos,shell_exec,url_include,curl_multi_exec,ftp_exec,pcntl_exec,phpinfo,posox_setuid,proc_close,proc_get_status,proc_nice,proc_terminate,show_source,system$
Based on the initial list given by faris at http://www.atomicorp.com/forums/viewtop ... sin#p31634

I turned of PHP checking in ASL to allow suhosin to deal with that for me.


The scripts required access to the plesk autoresponder command via the CLI - so I added apache to the sudoers file for that command only:

Code: Select all

apache ALL = NOPASSWD: /usr/local/psa/bin/autoresponder
I enabled exec for in vhost.conf for the domain where the webmail is currently located and everything works great.


Can anyone spot any glaring security issues here? or functions that perhaps should be disabled server wide that I've missed?



Thanks
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: vhost.conf settings for Plesk 10.3

Unread post by breun »

chrismcb wrote:or functions that perhaps should be disabled server wide that I've missed?
Check the PHP settings in /etc/asl/config for the risky PHP functions according to ASL.

You disabled 'pos' and 'posox_setuid', which don't exist AFAIK. Typo?

url_include is also not a PHP function AFAIK. I think you wanted to disable allow_url_include? This is not a PHP function, but a PHP configuration setting. You'll want to set PHP_URL_INCLUDE="no" in /etc/asl/config and run asl -s -f, which will set allow_url_include = "no" in /etc/php.ini.
Lemonbit Internet Dedicated Server Management
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: vhost.conf settings for Plesk 10.3

Unread post by chrismcb »

Thanks, yep - a typo - and was flagged by PHP in /var/log/messages

So far, so good - everything is working as it should and i'm getting through all the setting tweaks i've had to make to allow scripts to operate as they should (request size, memory limit...).
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: vhost.conf settings for Plesk 10.3

Unread post by chrismcb »

I've now managed to replace Atmail Open with Roundcube, but symlinking its directory from the webspace that it resides in has meant that the Suhosin php options added to the webspace vhost settings don't apply to the actual webmail vhost.

e.g. www.website.com/webmail - the vhost settings of website.com have been changed and allow everything that's required.
Going to webmail.website.com, doesnt use the same vhost.conf settings.


Can anyone advise as to where I can find these settings to alter them?
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: vhost.conf settings for Plesk 10.3

Unread post by chrismcb »

Found it... If you edit the configuration template for atmail.php, you can have full control over the vhost.conf settings:

Code: Select all

/usr/local/psa/admin/conf/templates/default/atmail.php
After editing, reconfigure the domains for it to take effect:

Code: Select all

/usr/local/psa/admin/sbin/httpdmng --reconfigure-all
Post Reply