disable_functions in php.ini for webmail
disable_functions in php.ini for webmail
After the Plesk 8.6 install I was getting the following error trying to send mail from Horde:
"Error There was an error sending your message: Failed to open sendmail [/var/qmail/bin/sendmail] for execution."
Plesk supports recommends (http://kb.parallels.com/en/2278) disabling certain functions to get it working again. I did comment out the line in php.ini and webmail did work, however, I am not certain it is a good approach to re-enable these functions one by one and just leave it at that. Perhaps there is a good reason why these functions are disabled and I don't want to leave any potential security holes.
Any thoughts?
"Error There was an error sending your message: Failed to open sendmail [/var/qmail/bin/sendmail] for execution."
Plesk supports recommends (http://kb.parallels.com/en/2278) disabling certain functions to get it working again. I did comment out the line in php.ini and webmail did work, however, I am not certain it is a good approach to re-enable these functions one by one and just leave it at that. Perhaps there is a good reason why these functions are disabled and I don't want to leave any potential security holes.
Any thoughts?
Rather than following Plesk's recommendations of shotgunning disable_functions by eliminating each one I did find the function that was causing my problems. The "popen" function was re-enabled and sending appears to be fine via webmail.
What other things that may happen as a result remains to be seen.
What other things that may happen as a result remains to be seen.
Unfortunately I found out the same thing. What I do is only allow popen for webmail:
1. Keep the popen function allowed in php.ini.
2. Install php-suhosin via yum/asl channel.
3. Globally disallow all of the recommended functions by ASL (and anything else) with:
1. Keep the popen function allowed in php.ini.
2. Install php-suhosin via yum/asl channel.
3. Globally disallow all of the recommended functions by ASL (and anything else) with:
4. Go into /etc/httpd/conf.d/ and add this to zz010_psa_httpd.conf under both webmail vhosts (http & https), with the rest of the php_admin_values:suhosin.executor.func.blacklist <functions list including popen>
The good side of this is you have just found out how to enable functions per vhost. The downside is that every time Plesk updates that config, you'll have to add the suhosin back in. Maybe make a backup after your changes and testing, and then anytime a new domain is added, etc, put em back in. You don't have to worry about this with regular vhosts via vhost.conf, but then again, you shouldn't be doing this much anyway.php_admin_value suhosin.executor.func.blacklist = <functions list excluding popen>
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Can't you just create your own .conf file in /etc/httpd/conf.d/ and set the blacklist for the the correct Directory/Location paths? Plesk won't overwrite that.warrenc wrote:4. Go into /etc/httpd/conf.d/ and add this to zz010_psa_httpd.conf under both webmail vhosts (http & https), with the rest of the php_admin_values:
The good side of this is you have just found out how to enable functions per vhost. The downside is that every time Plesk updates that config, you'll have to add the suhosin back in.php_admin_value suhosin.executor.func.blacklist = <functions list excluding popen>
Lemonbit Internet Dedicated Server Management
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
You might be right. You could include an external config file in the vhost configuration like Plesk does when you create a vhost.conf for a domain, but of course that include in zz010_psa_httpd.conf will also be overwritten on updates. You could maybe use Plesk's Event Manager to change the configuration files after Plesk regenerates its configs, but this is all starting to sound pretty hacky...
Lemonbit Internet Dedicated Server Management
Here's how to do this but, as breun said, it's hacky. You'll need to create a new conf file. Go to /var/www/vhosts/yourdomain.com/conf (obviously replace yourdomain.com) and copy the httpd.conf file over to /etc/httpd/conf.d as something like z0-include.conf. We need this file to load before zz010_psa_httpd.conf as Apache takes the first config for a given domain. Now you can modify your new conf file and Plesk can't touch it which means you'll need to manually modify it if you ever want to make changes.but of course that include in zz010_psa_httpd.conf will also be overwritten on updates
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
I don't understand why are you copying a domain's config file to /etc/httpd/conf.d/. If you want to modify a regular domain's apache configuration you can just use this: Including Directives into Web Server Configuration File.
Lemonbit Internet Dedicated Server Management
Re: disable_functions in php.ini for webmail
Hi,
How I did it:
Installed php-suhosin
Then changed /etc/asl/conf
ALLOW_escapeshellcmd="yes"
ALLOW_popen="yes"
All others to "no"
Shell> asl -s -f
Edit php.ini:
At the bottom, add:
[suhosin]
suhosin.executor.func.blacklist = "dl,exec,passthru,pfsockopen,posix_kill,posix_mkfifo,posix_setuid,proc_close,proc_open,proc_terminate,shell_exec,system,leak,posix_setpgid,posix_setsid,proc_get_status,proc_nice,show_source,popen,escapeshellcmd"
Edit /etc/httpd/conf.d/zzz_horde_vhost.conf:
Add folowing line 2 TIMES between <IfModule mod_php5.c> and </IfModule>. 1 for http and 1 for https
php_admin_value suhosin.executor.func.blacklist "dl,exec,passthru,pfsockopen,posix_kill,posix_mkfifo,posix_setuid,proc_close,proc_open,proc_terminate,shell_exec,system,leak,posix_setpgid,posix_setsid,proc_get_status,proc_nice,show_source"
The example here in this thread (php_admin_value suhosin.executor.func.blacklist = x, y, z, ...) didn't work for me, I had to put it between " " and without the = (equal sign)
Next to prevent overwriting on next Plesk/Domain update, add the same to the template, located /etc/psa/webmail/horde/horde_vhost.conf
for AtMail you could do the same thing, but I don't use it, so I don't know which functions it needs.
Do a short test:
Shell> service httpd configtest
If everythings OK, restart apache
If it works, test with the output of http://webmail.yourdomain.com/test.php? ... 2Ftest.php
Look at the difference between:
disable_functions
suhosin.executor.func.blacklist
Happy modding !
How I did it:
Installed php-suhosin
Then changed /etc/asl/conf
ALLOW_escapeshellcmd="yes"
ALLOW_popen="yes"
All others to "no"
Shell> asl -s -f
Edit php.ini:
At the bottom, add:
[suhosin]
suhosin.executor.func.blacklist = "dl,exec,passthru,pfsockopen,posix_kill,posix_mkfifo,posix_setuid,proc_close,proc_open,proc_terminate,shell_exec,system,leak,posix_setpgid,posix_setsid,proc_get_status,proc_nice,show_source,popen,escapeshellcmd"
Edit /etc/httpd/conf.d/zzz_horde_vhost.conf:
Add folowing line 2 TIMES between <IfModule mod_php5.c> and </IfModule>. 1 for http and 1 for https
php_admin_value suhosin.executor.func.blacklist "dl,exec,passthru,pfsockopen,posix_kill,posix_mkfifo,posix_setuid,proc_close,proc_open,proc_terminate,shell_exec,system,leak,posix_setpgid,posix_setsid,proc_get_status,proc_nice,show_source"
The example here in this thread (php_admin_value suhosin.executor.func.blacklist = x, y, z, ...) didn't work for me, I had to put it between " " and without the = (equal sign)
Next to prevent overwriting on next Plesk/Domain update, add the same to the template, located /etc/psa/webmail/horde/horde_vhost.conf
for AtMail you could do the same thing, but I don't use it, so I don't know which functions it needs.
Do a short test:
Shell> service httpd configtest
If everythings OK, restart apache
If it works, test with the output of http://webmail.yourdomain.com/test.php? ... 2Ftest.php
Look at the difference between:
disable_functions
suhosin.executor.func.blacklist
Happy modding !
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: disable_functions in php.ini for webmail
Wow great post, this ones going to need to go in the FAQ or get set to sticky
Re: disable_functions in php.ini for webmail
Thanks for the post. I have a bit of trouble though.
I don't have the file /etc/httpd/conf.d/zzz_horde_vhost.conf or the file /etc/psa/webmail/horde/horde_vhost.conf
I've got the z010_psa_httpd.conf but isn't that overwritten? Running Centos 5.3.
I don't have the file /etc/httpd/conf.d/zzz_horde_vhost.conf or the file /etc/psa/webmail/horde/horde_vhost.conf
I've got the z010_psa_httpd.conf but isn't that overwritten? Running Centos 5.3.
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Re: disable_functions in php.ini for webmail
Sounds like you're not running Plesk 9 yet.
Lemonbit Internet Dedicated Server Management
Re: disable_functions in php.ini for webmail
Thanks! That explains it. Was hoping to do the same with Plesk 8.6...
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Re: disable_functions in php.ini for webmail
On Plesk 8.6 the Horde config file is in another location. Somewhere under /etc/psa-horde, I believe.
Anyway, what we're doing might be even more interesting. We're not using Suhosin, but have popen (and exec and all their friends) disabled globally and configure Horde to use SMTP instead of sendmail. Problem solved!
Anyway, what we're doing might be even more interesting. We're not using Suhosin, but have popen (and exec and all their friends) disabled globally and configure Horde to use SMTP instead of sendmail. Problem solved!
Lemonbit Internet Dedicated Server Management