disable_functions in php.ini for webmail

mdtiberi · Unread post by **mdtiberi** » Wed Aug 06, 2008 12:00 pm

After the Plesk 8.6 install I was getting the following error trying to send mail from Horde:

"Error There was an error sending your message: Failed to open sendmail [/var/qmail/bin/sendmail] for execution."

Plesk supports recommends (http://kb.parallels.com/en/2278) disabling certain functions to get it working again. I did comment out the line in php.ini and webmail did work, however, I am not certain it is a good approach to re-enable these functions one by one and just leave it at that. Perhaps there is a good reason why these functions are disabled and I don't want to leave any potential security holes.

Any thoughts?

mdtiberi · Unread post by **mdtiberi** » Wed Aug 06, 2008 2:55 pm

Rather than following Plesk's recommendations of shotgunning disable_functions by eliminating each one I did find the function that was causing my problems. The "popen" function was re-enabled and sending appears to be fine via webmail.

What other things that may happen as a result remains to be seen.

aus-city · Unread post by **aus-city** » Thu Aug 07, 2008 6:58 pm

I got popen allowed in my ASL configuration too for horde

warrenc · Unread post by **warrenc** » Thu Aug 07, 2008 7:16 pm

Unfortunately I found out the same thing. What I do is only allow popen for webmail:

1. Keep the popen function allowed in php.ini.

2. Install php-suhosin via yum/asl channel.

3. Globally disallow all of the recommended functions by ASL (and anything else) with:

suhosin.executor.func.blacklist <functions list including popen>

4. Go into /etc/httpd/conf.d/ and add this to zz010_psa_httpd.conf under both webmail vhosts (http & https), with the rest of the php_admin_values:

php_admin_value suhosin.executor.func.blacklist = <functions list excluding popen>

The good side of this is you have just found out how to enable functions per vhost. The downside is that every time Plesk updates that config, you'll have to add the suhosin back in. Maybe make a backup after your changes and testing, and then anytime a new domain is added, etc, put em back in. You don't have to worry about this with regular vhosts via vhost.conf, but then again, you shouldn't be doing this much anyway.

breun · Unread post by **breun** » Fri Aug 08, 2008 5:48 am

warrenc wrote:4. Go into /etc/httpd/conf.d/ and add this to zz010_psa_httpd.conf under both webmail vhosts (http & https), with the rest of the php_admin_values:

php_admin_value suhosin.executor.func.blacklist = <functions list excluding popen>
The good side of this is you have just found out how to enable functions per vhost. The downside is that every time Plesk updates that config, you'll have to add the suhosin back in.

Can't you just create your own .conf file in /etc/httpd/conf.d/ and set the blacklist for the the correct Directory/Location paths? Plesk won't overwrite that.

warrenc · Unread post by **warrenc** » Fri Aug 08, 2008 5:57 am

I'm not really sure, I assumed it had to be within the vhost configuration. Could be wrong, Directory or Location would be much better....

breun · Unread post by **breun** » Fri Aug 08, 2008 6:47 am

You might be right. You could include an external config file in the vhost configuration like Plesk does when you create a vhost.conf for a domain, but of course that include in zz010_psa_httpd.conf will also be overwritten on updates. You could maybe use Plesk's Event Manager to change the configuration files after Plesk regenerates its configs, but this is all starting to sound pretty hacky...

Highland · Unread post by **Highland** » Fri Aug 08, 2008 9:06 am

but of course that include in zz010_psa_httpd.conf will also be overwritten on updates

Here's how to do this but, as breun said, it's hacky. You'll need to create a new conf file. Go to /var/www/vhosts/yourdomain.com/conf (obviously replace yourdomain.com) and copy the httpd.conf file over to /etc/httpd/conf.d as something like z0-include.conf. We need this file to load before zz010_psa_httpd.conf as Apache takes the first config for a given domain. Now you can modify your new conf file and Plesk can't touch it which means you'll need to manually modify it if you ever want to make changes.

breun · Unread post by **breun** » Fri Aug 08, 2008 9:11 am

I don't understand why are you copying a domain's config file to /etc/httpd/conf.d/. If you want to modify a regular domain's apache configuration you can just use this: Including Directives into Web Server Configuration File.

bartje4 · Unread post by **bartje4** » Tue Oct 06, 2009 4:50 pm

Hi,

How I did it:

Installed php-suhosin

Then changed /etc/asl/conf
ALLOW_escapeshellcmd="yes"
ALLOW_popen="yes"
All others to "no"

Shell> asl -s -f

Edit php.ini:
At the bottom, add:

[suhosin]
suhosin.executor.func.blacklist = "dl,exec,passthru,pfsockopen,posix_kill,posix_mkfifo,posix_setuid,proc_close,proc_open,proc_terminate,shell_exec,system,leak,posix_setpgid,posix_setsid,proc_get_status,proc_nice,show_source,popen,escapeshellcmd"

Edit /etc/httpd/conf.d/zzz_horde_vhost.conf:
Add folowing line 2 TIMES between <IfModule mod_php5.c> and </IfModule>. 1 for http and 1 for https

php_admin_value suhosin.executor.func.blacklist "dl,exec,passthru,pfsockopen,posix_kill,posix_mkfifo,posix_setuid,proc_close,proc_open,proc_terminate,shell_exec,system,leak,posix_setpgid,posix_setsid,proc_get_status,proc_nice,show_source"

The example here in this thread (php_admin_value suhosin.executor.func.blacklist = x, y, z, ...) didn't work for me, I had to put it between " " and without the = (equal sign)

Next to prevent overwriting on next Plesk/Domain update, add the same to the template, located /etc/psa/webmail/horde/horde_vhost.conf
for AtMail you could do the same thing, but I don't use it, so I don't know which functions it needs.

Do a short test:
Shell> service httpd configtest
If everythings OK, restart apache

If it works, test with the output of http://webmail.yourdomain.com/test.php? ... 2Ftest.php
Look at the difference between:
disable_functions
suhosin.executor.func.blacklist

Happy modding !

Unread post by **scott** » Wed Oct 07, 2009 8:20 am

Wow great post, this ones going to need to go in the FAQ or get set to sticky

biggles · Unread post by **biggles** » Wed Oct 07, 2009 9:05 am

Thanks for the post. I have a bit of trouble though.

I don't have the file /etc/httpd/conf.d/zzz_horde_vhost.conf or the file /etc/psa/webmail/horde/horde_vhost.conf

I've got the z010_psa_httpd.conf but isn't that overwritten? Running Centos 5.3.

breun · Unread post by **breun** » Wed Oct 07, 2009 9:06 am

Sounds like you're not running Plesk 9 yet.

biggles · Unread post by **biggles** » Wed Oct 07, 2009 9:08 am

Thanks! That explains it. Was hoping to do the same with Plesk 8.6...

breun · Unread post by **breun** » Wed Oct 07, 2009 9:21 am

On Plesk 8.6 the Horde config file is in another location. Somewhere under /etc/psa-horde, I believe.

Anyway, what we're doing might be even more interesting. We're not using Suhosin, but have popen (and exec and all their friends) disabled globally and configure Horde to use SMTP instead of sendmail. Problem solved!

Atomicorp

disable_functions in php.ini for webmail

disable_functions in php.ini for webmail

Re: disable_functions in php.ini for webmail

Re: disable_functions in php.ini for webmail

Re: disable_functions in php.ini for webmail

Re: disable_functions in php.ini for webmail

Re: disable_functions in php.ini for webmail

Re: disable_functions in php.ini for webmail