store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Mar 21, 2019 10:19 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 48 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
 Post subject: disable_functions in php.ini for webmail
Unread postPosted: Wed Aug 06, 2008 12:00 pm 
Offline
Forum Regular
Forum Regular

Joined: Thu Jan 17, 2008 5:48 pm
Posts: 124
After the Plesk 8.6 install I was getting the following error trying to send mail from Horde:

"Error There was an error sending your message: Failed to open sendmail [/var/qmail/bin/sendmail] for execution."

Plesk supports recommends (http://kb.parallels.com/en/2278) disabling certain functions to get it working again. I did comment out the line in php.ini and webmail did work, however, I am not certain it is a good approach to re-enable these functions one by one and just leave it at that. Perhaps there is a good reason why these functions are disabled and I don't want to leave any potential security holes.

Any thoughts?


Top
 Profile  
Reply with quote  
 Post subject:
Unread postPosted: Wed Aug 06, 2008 2:55 pm 
Offline
Forum Regular
Forum Regular

Joined: Thu Jan 17, 2008 5:48 pm
Posts: 124
Rather than following Plesk's recommendations of shotgunning disable_functions by eliminating each one I did find the function that was causing my problems. The "popen" function was re-enabled and sending appears to be fine via webmail.

What other things that may happen as a result remains to be seen.


Top
 Profile  
Reply with quote  
 Post subject:
Unread postPosted: Thu Aug 07, 2008 6:58 pm 
Offline
Forum Regular
Forum Regular

Joined: Thu Oct 26, 2006 11:56 pm
Posts: 684
I got popen allowed in my ASL configuration too for horde :)


Top
 Profile  
Reply with quote  
 Post subject:
Unread postPosted: Thu Aug 07, 2008 7:16 pm 
Offline
Forum User
Forum User

Joined: Sat May 24, 2008 5:00 pm
Posts: 41
Location: VA
Unfortunately I found out the same thing. What I do is only allow popen for webmail:

1. Keep the popen function allowed in php.ini.

2. Install php-suhosin via yum/asl channel.

3. Globally disallow all of the recommended functions by ASL (and anything else) with:

Quote:
suhosin.executor.func.blacklist <functions list including popen>


4. Go into /etc/httpd/conf.d/ and add this to zz010_psa_httpd.conf under both webmail vhosts (http & https), with the rest of the php_admin_values:

Quote:
php_admin_value suhosin.executor.func.blacklist = <functions list excluding popen>


The good side of this is you have just found out how to enable functions per vhost. The downside is that every time Plesk updates that config, you'll have to add the suhosin back in. Maybe make a backup after your changes and testing, and then anytime a new domain is added, etc, put em back in. You don't have to worry about this with regular vhosts via vhost.conf, but then again, you shouldn't be doing this much anyway. ;)


Top
 Profile  
Reply with quote  
 Post subject:
Unread postPosted: Fri Aug 08, 2008 5:48 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2813
Location: The Netherlands
warrenc wrote:
4. Go into /etc/httpd/conf.d/ and add this to zz010_psa_httpd.conf under both webmail vhosts (http & https), with the rest of the php_admin_values:

Quote:
php_admin_value suhosin.executor.func.blacklist = <functions list excluding popen>


The good side of this is you have just found out how to enable functions per vhost. The downside is that every time Plesk updates that config, you'll have to add the suhosin back in.


Can't you just create your own .conf file in /etc/httpd/conf.d/ and set the blacklist for the the correct Directory/Location paths? Plesk won't overwrite that.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject:
Unread postPosted: Fri Aug 08, 2008 5:57 am 
Offline
Forum User
Forum User

Joined: Sat May 24, 2008 5:00 pm
Posts: 41
Location: VA
I'm not really sure, I assumed it had to be within the vhost configuration. Could be wrong, Directory or Location would be much better....


Top
 Profile  
Reply with quote  
 Post subject:
Unread postPosted: Fri Aug 08, 2008 6:47 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2813
Location: The Netherlands
You might be right. You could include an external config file in the vhost configuration like Plesk does when you create a vhost.conf for a domain, but of course that include in zz010_psa_httpd.conf will also be overwritten on updates. You could maybe use Plesk's Event Manager to change the configuration files after Plesk regenerates its configs, but this is all starting to sound pretty hacky...

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject:
Unread postPosted: Fri Aug 08, 2008 9:06 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 674
Quote:
but of course that include in zz010_psa_httpd.conf will also be overwritten on updates


Here's how to do this but, as breun said, it's hacky. You'll need to create a new conf file. Go to /var/www/vhosts/yourdomain.com/conf (obviously replace yourdomain.com) and copy the httpd.conf file over to /etc/httpd/conf.d as something like z0-include.conf. We need this file to load before zz010_psa_httpd.conf as Apache takes the first config for a given domain. Now you can modify your new conf file and Plesk can't touch it which means you'll need to manually modify it if you ever want to make changes.


Top
 Profile  
Reply with quote  
 Post subject:
Unread postPosted: Fri Aug 08, 2008 9:11 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2813
Location: The Netherlands
I don't understand why are you copying a domain's config file to /etc/httpd/conf.d/. If you want to modify a regular domain's apache configuration you can just use this: Including Directives into Web Server Configuration File.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: disable_functions in php.ini for webmail
Unread postPosted: Tue Oct 06, 2009 4:50 pm 
Offline
New Forum User
New Forum User

Joined: Sun Oct 04, 2009 4:58 pm
Posts: 2
Hi,

How I did it:

Installed php-suhosin

Then changed /etc/asl/conf
ALLOW_escapeshellcmd="yes"
ALLOW_popen="yes"
All others to "no"

Shell> asl -s -f

Edit php.ini:
At the bottom, add:

[suhosin]
suhosin.executor.func.blacklist = "dl,exec,passthru,pfsockopen,posix_kill,posix_mkfifo,posix_setuid,proc_close,proc_open,proc_terminate,shell_exec,system,leak,posix_setpgid,posix_setsid,proc_get_status,proc_nice,show_source,popen,escapeshellcmd"

Edit /etc/httpd/conf.d/zzz_horde_vhost.conf:
Add folowing line 2 TIMES between <IfModule mod_php5.c> and </IfModule>. 1 for http and 1 for https

php_admin_value suhosin.executor.func.blacklist "dl,exec,passthru,pfsockopen,posix_kill,posix_mkfifo,posix_setuid,proc_close,proc_open,proc_terminate,shell_exec,system,leak,posix_setpgid,posix_setsid,proc_get_status,proc_nice,show_source"

The example here in this thread (php_admin_value suhosin.executor.func.blacklist = x, y, z, ...) didn't work for me, I had to put it between " " and without the = (equal sign)

Next to prevent overwriting on next Plesk/Domain update, add the same to the template, located /etc/psa/webmail/horde/horde_vhost.conf
for AtMail you could do the same thing, but I don't use it, so I don't know which functions it needs.

Do a short test:
Shell> service httpd configtest
If everythings OK, restart apache

If it works, test with the output of http://webmail.yourdomain.com/test.php? ... 2Ftest.php
Look at the difference between:
disable_functions
suhosin.executor.func.blacklist

Happy modding !


Top
 Profile  
Reply with quote  
 Post subject: Re: disable_functions in php.ini for webmail
Unread postPosted: Wed Oct 07, 2009 8:20 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Wow great post, this ones going to need to go in the FAQ or get set to sticky


Top
 Profile  
Reply with quote  
 Post subject: Re: disable_functions in php.ini for webmail
Unread postPosted: Wed Oct 07, 2009 9:05 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
Thanks for the post. I have a bit of trouble though.

I don't have the file /etc/httpd/conf.d/zzz_horde_vhost.conf or the file /etc/psa/webmail/horde/horde_vhost.conf

I've got the z010_psa_httpd.conf but isn't that overwritten? Running Centos 5.3.


Top
 Profile  
Reply with quote  
 Post subject: Re: disable_functions in php.ini for webmail
Unread postPosted: Wed Oct 07, 2009 9:06 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2813
Location: The Netherlands
Sounds like you're not running Plesk 9 yet.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: disable_functions in php.ini for webmail
Unread postPosted: Wed Oct 07, 2009 9:08 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 805
Location: Sweden
Thanks! That explains it. Was hoping to do the same with Plesk 8.6...


Top
 Profile  
Reply with quote  
 Post subject: Re: disable_functions in php.ini for webmail
Unread postPosted: Wed Oct 07, 2009 9:21 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2813
Location: The Netherlands
On Plesk 8.6 the Horde config file is in another location. Somewhere under /etc/psa-horde, I believe.

Anyway, what we're doing might be even more interesting. We're not using Suhosin, but have popen (and exec and all their friends) disabled globally and configure Horde to use SMTP instead of sendmail. Problem solved!

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 48 posts ]  Go to page 1, 2, 3, 4  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group