Mailing List Archive

A safe way to allow executables with PHP Safe_mode?
Hi Guys,

I really value your opinions and I think a lot of you share the same
paranoia I have. ;)

I've just loaded up a fresh server, and am using squirrelmail. I have
installed and am using gpg and ispell. The problem is, when Safe_mode=On,
gpg and ispell do not function. With Safe_mode=Off, they work just fine.

Is there a safe way to get these executables to run? I don't want to turn
Safe_mode=Off, that's just too dangerous in my book. Allowing the
shell_exec (?) is just a bit dangerous IMO too, but do I even have a
choice? If that is what needs to be done, how do I enable just that
function? Is it possible to enable it within just one vhost/dir? Is
encrypted email and spell checking worth this risk?


--
gentoo-security@gentoo.org mailing list
Re: A safe way to allow executables with PHP Safe_mode? [ In reply to ]
hi,

On Mon, Jan 31, 2005 at 11:21:15AM -0500, Joey McCoy wrote:

JM> I've just loaded up a fresh server, and am using squirrelmail. I have
JM> installed and am using gpg and ispell. The problem is, when Safe_mode=On,
JM> gpg and ispell do not function. With Safe_mode=Off, they work just fine.
JM>
JM> Is there a safe way to get these executables to run? I don't want to turn
JM> Safe_mode=Off, that's just too dangerous in my book. Allowing the
JM> shell_exec (?) is just a bit dangerous IMO too, but do I even have a
JM> choice? If that is what needs to be done, how do I enable just that
JM> function? Is it possible to enable it within just one vhost/dir? Is
JM> encrypted email and spell checking worth this risk?

you can specify a safe_mode_exec_dir in php.ini which means, that if
safe_mode is on, you can *only* execute programms in these folders.
if you place the gpg and ispell in a seperate folder (maybe symlinks work
too), and set the safe_mode_exec_dir to this folder, you should be safe

assuming you use mod_php, you can specify each value from php.ini in
your httpd.conf on a per direcotory base e.g.

<VirtualHost 62.146.99.10>
DocumentRoot /home/www/mydomain.com
ServerName mydomain.com

<Directory /home/www/mydomain.com>
php_admin_flag engine on
php_admin_value open_basedir /www/sites/k0212/html
php_admin_flag safe_mode on
php_admin_value safe_mode_exec_dir /usr/local/bin/php-safe-mode
</Directory>
</VirtualHost>

if it is worth for you to do this in order to have spell chaing and
encryped email in squirrel mail is up to you
you could also try to use suphp or suexec to run the phpscripts with the
permissions of a different user than the webserver

hth

cheers,
roman


--
gentoo-security@gentoo.org mailing list
Re: A safe way to allow executables with PHP Safe_mode? [ In reply to ]
On Monday 31 January 2005 11:59 am, Roman Pertl wrote:
> JM> Is there a safe way to get these executables to run? I don't want to
> turn JM> Safe_mode=Off, that's just too dangerous in my book. Allowing the
> JM> shell_exec (?) is just a bit dangerous IMO too, but do I even have a
> JM> choice? If that is what needs to be done, how do I enable just that
> JM> function? Is it possible to enable it within just one vhost/dir? Is
> JM> encrypted email and spell checking worth this risk?
>
> you can specify a safe_mode_exec_dir in php.ini which means, that if
> safe_mode is on, you can *only* execute programms in these folders.
> if you place the gpg and ispell in a seperate folder (maybe symlinks work
> too), and set the safe_mode_exec_dir to this folder, you should be safe

People have tested the GPG Plugin for Squirrelmail successfully using safe
mode by setting the safe_mode_exec_dir variable. I don't have any
information on the squirrelspell plugin.

I suspect you might need to compile gpg with static libraries so that you can
copy the binary to your safe_mode_exec_dir, but I understand that that varies
by distro, and I've never tried safe_mode on Gentoo with the SM GPG Plugin.

Regards,

- Brian Peterson
GPG Plugin for Squirrelmail Team Lead
(and avid Gentoo user)

--
gentoo-security@gentoo.org mailing list
Re: A safe way to allow executables with PHP Safe_mode? [ In reply to ]
Do you remember who might have gotten this to work or if there is a
tutorial for it?

I setup safe_mode_exec_dir, and placed the statically compiled gpg
directoris (/usr , etc) under that dir, and also changed the
'path_to_gpg=' variables in the plugin config files, but still nogo. I
cannot view my keyring.

> On Monday 31 January 2005 11:59 am, Roman Pertl wrote:
>> JM> Is there a safe way to get these executables to run? I don't want
to turn JM> Safe_mode=Off, that's just too dangerous in my book.
Allowing the
>> JM> shell_exec (?) is just a bit dangerous IMO too, but do I even have
a JM> choice? If that is what needs to be done, how do I enable just
that JM> function? Is it possible to enable it within just one
vhost/dir? Is JM> encrypted email and spell checking worth this risk?
>>
>> you can specify a safe_mode_exec_dir in php.ini which means, that if
safe_mode is on, you can *only* execute programms in these folders. if
you place the gpg and ispell in a seperate folder (maybe symlinks work
>> too), and set the safe_mode_exec_dir to this folder, you should be safe
>
> People have tested the GPG Plugin for Squirrelmail successfully using
safe mode by setting the safe_mode_exec_dir variable. I don't have any
information on the squirrelspell plugin.
>
> I suspect you might need to compile gpg with static libraries so that
you can
> copy the binary to your safe_mode_exec_dir, but I understand that that
varies
> by distro, and I've never tried safe_mode on Gentoo with the SM GPG Plugin.
>
> Regards,
>
> - Brian Peterson
> GPG Plugin for Squirrelmail Team Lead
> (and avid Gentoo user)
>
> --
> gentoo-security@gentoo.org mailing list
>
>





--
gentoo-security@gentoo.org mailing list