Polarhome Community

[zoli]

hi,

I assume, that it is a general wish to disable PHP safe_mode=on.

It is important to understad that PHP, as a command interpreter usually runs as a web server user and not as a home page user, therefore there is a high security risk to abuse this behaviour. Therefore PHP has a special option - safe_mode that assure that home page user access just files with own UID/GID and lot of file and system functions are disbaled because of web server access rights.

Moreover there is a problem with some normal (not safe_moded) functions as mail() and some socket functions that can be extremelly powerful in malitious user's hand.

As a first stage, I implemented a patch that allowed mail and other disabled functions just for shell/registered users

... and now I a proud to announce that solution that allows safe mode to be turned off without security violations, is ready.
It is not a revolutionary solution but it does work and polarhome users might have a possibility to enjoy full power of PHP (if we vote so).

For test purpose this solution is installed just on freebsd server and after one week testing I plan to patch all other systems that supports PHP.

[DenisF]

wow

That's.......wow...
*shocked*
I never thought id'e live up to see this happen.. not even to shell-only users..
Well done Z, Well done.

Though with these new settings (mail and safemode), id'e recommend to tight-up the shell forms, add certain criteria to it..
Recon we will have a whole new wave of people who will gladly abuse those low-cost features

[zoli]

Denis,

> Recon we will have a whole new wave of people who will gladly abuse those low-cost features

I do not think so... safe mode is turned off, but users run under their own UID/GID and our solution is more picky on that than safe mode, but if UID/GID is satisfied it allows full PHP power - except mail and other socket functions - they still requires registration.

[DenisF]

I hope you're right..

This -is- a good solution to bring more shell users, on that i agree, but on the other hand it can bring some people who can spare those 2~5$ just to put a mass-emailer script or .. erm.. something of that sort.

Alas, we'll just have to see
PS
will this be implemented on redhat?

[zoli]

hi,

yes, I planned to implement on every system that runs PHP.

... I know that there is a problem with lot of "cheap" registrations on redhat - but it would not be fair against other registered users.

[sjaz]

Indeed, the AUP for polarhome probably(or should contain) information pertaining to the deletion of account for spam abuse.

Wonder if its possible to lock down safe mode so all mail comes from username@polarhome.com so they cant spoof in the from field...

[zoli]

Only mail.polarhome.com has full spam and virus control.

Unfortunately outgoing mail (originated from hosts) may use local smtp server... but in near future I'll configure "smarthost" feature on polarhome hosts that forces every (both in and outgoing) mail to pass mail.polarhome.com filtering out spam and viruses.

[zoli]

so.... ?
Do you want such solution that freebsd runs now on not?

[DenisF]

Shall polarhome disable PHP safe_mode? (it is enabled now)
Yes  54.67 % (82)
No  31.33 % (47)
I don't use PHP  6.00 % (9)
No opinion  8.00 % (12)
Total votes: 150

Looks like i'm not the only one who can't make up his mind

[zoli]

hi,

seems this FreeBSD test of PHP safe_mode=off was not a success story, not because safe mode did not work, but PHP did not work as it should for 80% of users. It required very strict permissions and ownership on the file, that users in most cases, could not satisfy.

I am shame to say that I fixed the problem while I drunk a beer or two. I could do it much earlier.
It should work better now... please re-evaluate.

If you like this solution it will be implemented on all hosts including redhat.

In short:
php safe mode off for all users
cgi just for shell/registered users
mail and other socket functions just for shell users

[DenisF]

A beer never killed anyone zoli

I'll look into it

BTW
freebsd seems to have some quotas problem

denisf@freebsd$ quota -v denisf
quota: /home/quota.user: Permission denied
Disk quotas for user denisf (uid 5483): none

EDIT
Iv'e checked some apps that need the safemode off, works like a charm
Tried installing phpBB2, but i get an internal server error at step2 of installation

[sjaz]

Yeah, I mentioned the quota thing before on FreeBSD, and as for the beer Zoli its good

[zoli]

quota file was corrupt.
now it should be ok.

[sjaz]

Yep, perfect

[locke]

What happened about this? I've noticed that safe mode is still turned on.

[sjaz]

In future it would be easier if you outlined your username and what server your on.

[DenisF]

I came up with a really nice solution that will keep both the users and the system happy, it is currently being reviewed by Z and should it pass the QA test - it will come to a server near you very soon

[For the impatient; you can register an account on mandrake and try it right now, free of charge ]

[maorl]

Can you watch the poll now?

Shall polarhome disable PHP safe_mode? (it is enabled now)
Yes  54.31 % (1122)
No  35.24 % (728)
I don't use PHP  4.70 % (97)
No opinion  5.76 % (119)
Total votes: 2066

So are tou going to disable the safe_mod or not??

[DenisF]

pro = 54.31%
con = 45.69%

doesn't look like safe mode bothers anyone really.

[maorl]

I'll tell you my problem with this "Safe_Mod".. I have a forum hosted here. When someone want to send an E Mail from my forum he just can't use this function because your safe mod don't let the mail function work... My forum's system is IBHEB(Invision Board Hebrew)...