Hi,

I've previously used vhost.conf settings for older Plesk versions, however I'm trying to change the php_admin_value of disable_functions to allow exec to run on a specific domain.

I edit the vhost.conf file, reconfigure the domain and restart apache, but the limit is still in place.


Has this changed for v10?

According to http://php.net/manual/en/ini.core.php disable_functions can only be configured in php.ini, so you can't overwrite it in Apache configuration.

Ahhh... thanks Breun

I'm installing a new webmail (roundcube), which has plugins for Plesk that allows users to configure their Auto Responder and email forwarding.

The plugin was created by someone else to use the CLI methods that Plesk provides.


exec is not a function that I'd particularly like to open up server-wide, are there any other ways to allow this on a single domain?

suhosin ought to fix it. Faris has replied to a thread with his setup. But that setup makes you allow it globally and then disable it globally with suhosin. This makes ASL complain it is a High risk. But you know you are safe, except for the domains where you specifically enables it.

I think you mean Suhosin?

Thanks, found it.

Before going to the trouble of setting this up, I thought I'd enable exec temporarily to test the feature out.

I'm not too sure about it... it needs to run the command:


Currently giving an error log of:


If I add the below to /etc/sudoers, it should work.



But do you think this is too much of a security risk?

Oups! As usual breun is right! Thanks for the correction!

OK, I've configured everything and it's working fine - I now have Roundcube installed with custom Plesk plugins allowing Autoresponders and Passwords to be set.

I installed suhosin and configured it to block the following functions:


Based on the initial list given by faris at viewtopic.php?f=2&t=5250&p=31647&hilit=Suhosin#p31634

I turned of PHP checking in ASL to allow suhosin to deal with that for me.


The scripts required access to the plesk autoresponder command via the CLI - so I added apache to the sudoers file for that command only:


I enabled exec for in vhost.conf for the domain where the webmail is currently located and everything works great.


Can anyone spot any glaring security issues here? or functions that perhaps should be disabled server wide that I've missed?



Thanks

Check the PHP settings in /etc/asl/config for the risky PHP functions according to ASL.

You disabled 'pos' and 'posox_setuid', which don't exist AFAIK. Typo?

url_include is also not a PHP function AFAIK. I think you wanted to disable allow_url_include? This is not a PHP function, but a PHP configuration setting. You'll want to set PHP_URL_INCLUDE="no" in /etc/asl/config and run asl -s -f, which will set allow_url_include = "no" in /etc/php.ini.

Thanks, yep - a typo - and was flagged by PHP in /var/log/messages

So far, so good - everything is working as it should and i'm getting through all the setting tweaks i've had to make to allow scripts to operate as they should (request size, memory limit...).

I've now managed to replace Atmail Open with Roundcube, but symlinking its directory from the webspace that it resides in has meant that the Suhosin php options added to the webspace vhost settings don't apply to the actual webmail vhost.

e.g. www.website.com/webmail - the vhost settings of website.com have been changed and allow everything that's required.
Going to webmail.website.com, doesnt use the same vhost.conf settings.


Can anyone advise as to where I can find these settings to alter them?

Found it... If you edit the configuration template for atmail.php, you can have full control over the vhost.conf settings:


After editing, reconfigure the domains for it to take effect: