store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Oct 22, 2014 7:04 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 12 posts ] 
Author Message
 Post subject: vhost.conf settings for Plesk 10.3
Unread postPosted: Thu Nov 10, 2011 1:15 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 283
Location: Glasgow, UK
Hi,

I've previously used vhost.conf settings for older Plesk versions, however I'm trying to change the php_admin_value of disable_functions to allow exec to run on a specific domain.

I edit the vhost.conf file, reconfigure the domain and restart apache, but the limit is still in place.


Has this changed for v10?


Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Fri Nov 11, 2011 5:28 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
According to http://php.net/manual/en/ini.core.php disable_functions can only be configured in php.ini, so you can't overwrite it in Apache configuration.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Fri Nov 11, 2011 5:36 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 283
Location: Glasgow, UK
Ahhh... thanks Breun

I'm installing a new webmail (roundcube), which has plugins for Plesk that allows users to configure their Auto Responder and email forwarding.

The plugin was created by someone else to use the CLI methods that Plesk provides.


exec is not a function that I'd particularly like to open up server-wide, are there any other ways to allow this on a single domain?


Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Fri Nov 11, 2011 5:41 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 778
Location: Sweden
suhosin ought to fix it. Faris has replied to a thread with his setup. But that setup makes you allow it globally and then disable it globally with suhosin. This makes ASL complain it is a High risk. But you know you are safe, except for the domains where you specifically enables it.


Last edited by biggles on Sat Nov 12, 2011 2:27 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Fri Nov 11, 2011 6:46 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
I think you mean Suhosin?

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Fri Nov 11, 2011 7:04 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 283
Location: Glasgow, UK
Thanks, found it.

Before going to the trouble of setting this up, I thought I'd enable exec temporarily to test the feature out.

I'm not too sure about it... it needs to run the command:
Code:
sudo /opt/psa/bin/autoresponder -i -mail chris@abc123.com


Currently giving an error log of:
Code:
sudo: apache : no tty present and no askpass program specified ; TTY=unknown ; PWD=/var/www/vhosts/abc123.com/httpdocs/webmail ; USER=root ; COMMAND=/opt/psa/bin/autoresponder -i -mail chris@abc123.com


If I add the below to /etc/sudoers, it should work.
Code:
apache ALL=NOPASSWD: /opt/psa/bin/autoresponder



But do you think this is too much of a security risk?


Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Sat Nov 12, 2011 2:27 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 778
Location: Sweden
breun wrote:
I think you mean Suhosin?

Oups! As usual breun is right! Thanks for the correction!


Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Thu Nov 17, 2011 11:09 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 283
Location: Glasgow, UK
OK, I've configured everything and it's working fine - I now have Roundcube installed with custom Plesk plugins allowing Autoresponders and Passwords to be set.

I installed suhosin and configured it to block the following functions:

Code:
suhosin.executor.func.blacklist = dl,exec,leak,passthru,pfsockopen,popen,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,pos,shell_exec,url_include,curl_multi_exec,ftp_exec,pcntl_exec,phpinfo,posox_setuid,proc_close,proc_get_status,proc_nice,proc_terminate,show_source,system$

Based on the initial list given by faris at viewtopic.php?f=2&t=5250&p=31647&hilit=Suhosin#p31634

I turned of PHP checking in ASL to allow suhosin to deal with that for me.


The scripts required access to the plesk autoresponder command via the CLI - so I added apache to the sudoers file for that command only:
Code:
apache ALL = NOPASSWD: /usr/local/psa/bin/autoresponder


I enabled exec for in vhost.conf for the domain where the webmail is currently located and everything works great.


Can anyone spot any glaring security issues here? or functions that perhaps should be disabled server wide that I've missed?



Thanks


Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Thu Nov 17, 2011 11:58 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
chrismcb wrote:
or functions that perhaps should be disabled server wide that I've missed?


Check the PHP settings in /etc/asl/config for the risky PHP functions according to ASL.

You disabled 'pos' and 'posox_setuid', which don't exist AFAIK. Typo?

url_include is also not a PHP function AFAIK. I think you wanted to disable allow_url_include? This is not a PHP function, but a PHP configuration setting. You'll want to set PHP_URL_INCLUDE="no" in /etc/asl/config and run asl -s -f, which will set allow_url_include = "no" in /etc/php.ini.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Thu Nov 17, 2011 3:57 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 283
Location: Glasgow, UK
Thanks, yep - a typo - and was flagged by PHP in /var/log/messages

So far, so good - everything is working as it should and i'm getting through all the setting tweaks i've had to make to allow scripts to operate as they should (request size, memory limit...).


Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Wed Nov 23, 2011 9:39 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 283
Location: Glasgow, UK
I've now managed to replace Atmail Open with Roundcube, but symlinking its directory from the webspace that it resides in has meant that the Suhosin php options added to the webspace vhost settings don't apply to the actual webmail vhost.

e.g. www.website.com/webmail - the vhost settings of website.com have been changed and allow everything that's required.
Going to webmail.website.com, doesnt use the same vhost.conf settings.


Can anyone advise as to where I can find these settings to alter them?


Top
 Profile  
 
 Post subject: Re: vhost.conf settings for Plesk 10.3
Unread postPosted: Thu Nov 24, 2011 8:40 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 283
Location: Glasgow, UK
Found it... If you edit the configuration template for atmail.php, you can have full control over the vhost.conf settings:
Code:
/usr/local/psa/admin/conf/templates/default/atmail.php


After editing, reconfigure the domains for it to take effect:
Code:
/usr/local/psa/admin/sbin/httpdmng --reconfigure-all


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot], Yahoo [Bot] and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group