vhost.conf settings for Plesk 10.3
vhost.conf settings for Plesk 10.3
Hi,
I've previously used vhost.conf settings for older Plesk versions, however I'm trying to change the php_admin_value of disable_functions to allow exec to run on a specific domain.
I edit the vhost.conf file, reconfigure the domain and restart apache, but the limit is still in place.
Has this changed for v10?
I've previously used vhost.conf settings for older Plesk versions, however I'm trying to change the php_admin_value of disable_functions to allow exec to run on a specific domain.
I edit the vhost.conf file, reconfigure the domain and restart apache, but the limit is still in place.
Has this changed for v10?
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Re: vhost.conf settings for Plesk 10.3
According to http://php.net/manual/en/ini.core.php disable_functions can only be configured in php.ini, so you can't overwrite it in Apache configuration.
Lemonbit Internet Dedicated Server Management
Re: vhost.conf settings for Plesk 10.3
Ahhh... thanks Breun
I'm installing a new webmail (roundcube), which has plugins for Plesk that allows users to configure their Auto Responder and email forwarding.
The plugin was created by someone else to use the CLI methods that Plesk provides.
exec is not a function that I'd particularly like to open up server-wide, are there any other ways to allow this on a single domain?
I'm installing a new webmail (roundcube), which has plugins for Plesk that allows users to configure their Auto Responder and email forwarding.
The plugin was created by someone else to use the CLI methods that Plesk provides.
exec is not a function that I'd particularly like to open up server-wide, are there any other ways to allow this on a single domain?
Re: vhost.conf settings for Plesk 10.3
suhosin ought to fix it. Faris has replied to a thread with his setup. But that setup makes you allow it globally and then disable it globally with suhosin. This makes ASL complain it is a High risk. But you know you are safe, except for the domains where you specifically enables it.
Last edited by biggles on Sat Nov 12, 2011 2:27 am, edited 1 time in total.
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Re: vhost.conf settings for Plesk 10.3
I think you mean Suhosin?
Lemonbit Internet Dedicated Server Management
Re: vhost.conf settings for Plesk 10.3
Thanks, found it.
Before going to the trouble of setting this up, I thought I'd enable exec temporarily to test the feature out.
I'm not too sure about it... it needs to run the command:
Currently giving an error log of:
If I add the below to /etc/sudoers, it should work.
But do you think this is too much of a security risk?
Before going to the trouble of setting this up, I thought I'd enable exec temporarily to test the feature out.
I'm not too sure about it... it needs to run the command:
Code: Select all
sudo /opt/psa/bin/autoresponder -i -mail chris@abc123.com
Code: Select all
sudo: apache : no tty present and no askpass program specified ; TTY=unknown ; PWD=/var/www/vhosts/abc123.com/httpdocs/webmail ; USER=root ; COMMAND=/opt/psa/bin/autoresponder -i -mail chris@abc123.com
Code: Select all
apache ALL=NOPASSWD: /opt/psa/bin/autoresponder
But do you think this is too much of a security risk?
Re: vhost.conf settings for Plesk 10.3
Oups! As usual breun is right! Thanks for the correction!breun wrote:I think you mean Suhosin?
Re: vhost.conf settings for Plesk 10.3
OK, I've configured everything and it's working fine - I now have Roundcube installed with custom Plesk plugins allowing Autoresponders and Passwords to be set.
I installed suhosin and configured it to block the following functions:
Based on the initial list given by faris at http://www.atomicorp.com/forums/viewtop ... sin#p31634
I turned of PHP checking in ASL to allow suhosin to deal with that for me.
The scripts required access to the plesk autoresponder command via the CLI - so I added apache to the sudoers file for that command only:
I enabled exec for in vhost.conf for the domain where the webmail is currently located and everything works great.
Can anyone spot any glaring security issues here? or functions that perhaps should be disabled server wide that I've missed?
Thanks
I installed suhosin and configured it to block the following functions:
Code: Select all
suhosin.executor.func.blacklist = dl,exec,leak,passthru,pfsockopen,popen,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,pos,shell_exec,url_include,curl_multi_exec,ftp_exec,pcntl_exec,phpinfo,posox_setuid,proc_close,proc_get_status,proc_nice,proc_terminate,show_source,system$
I turned of PHP checking in ASL to allow suhosin to deal with that for me.
The scripts required access to the plesk autoresponder command via the CLI - so I added apache to the sudoers file for that command only:
Code: Select all
apache ALL = NOPASSWD: /usr/local/psa/bin/autoresponder
Can anyone spot any glaring security issues here? or functions that perhaps should be disabled server wide that I've missed?
Thanks
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Re: vhost.conf settings for Plesk 10.3
Check the PHP settings in /etc/asl/config for the risky PHP functions according to ASL.chrismcb wrote:or functions that perhaps should be disabled server wide that I've missed?
You disabled 'pos' and 'posox_setuid', which don't exist AFAIK. Typo?
url_include is also not a PHP function AFAIK. I think you wanted to disable allow_url_include? This is not a PHP function, but a PHP configuration setting. You'll want to set PHP_URL_INCLUDE="no" in /etc/asl/config and run asl -s -f, which will set allow_url_include = "no" in /etc/php.ini.
Lemonbit Internet Dedicated Server Management
Re: vhost.conf settings for Plesk 10.3
Thanks, yep - a typo - and was flagged by PHP in /var/log/messages
So far, so good - everything is working as it should and i'm getting through all the setting tweaks i've had to make to allow scripts to operate as they should (request size, memory limit...).
So far, so good - everything is working as it should and i'm getting through all the setting tweaks i've had to make to allow scripts to operate as they should (request size, memory limit...).
Re: vhost.conf settings for Plesk 10.3
I've now managed to replace Atmail Open with Roundcube, but symlinking its directory from the webspace that it resides in has meant that the Suhosin php options added to the webspace vhost settings don't apply to the actual webmail vhost.
e.g. www.website.com/webmail - the vhost settings of website.com have been changed and allow everything that's required.
Going to webmail.website.com, doesnt use the same vhost.conf settings.
Can anyone advise as to where I can find these settings to alter them?
e.g. www.website.com/webmail - the vhost settings of website.com have been changed and allow everything that's required.
Going to webmail.website.com, doesnt use the same vhost.conf settings.
Can anyone advise as to where I can find these settings to alter them?
Re: vhost.conf settings for Plesk 10.3
Found it... If you edit the configuration template for atmail.php, you can have full control over the vhost.conf settings:
After editing, reconfigure the domains for it to take effect:
Code: Select all
/usr/local/psa/admin/conf/templates/default/atmail.php
Code: Select all
/usr/local/psa/admin/sbin/httpdmng --reconfigure-all