PHPSuExec being installed on existing servers »» Tips and tricks

[justG]

Movable Type and PHPSuExec:
http://forums.hostgator.com/showthread.php?t=9938

[riostyles]

Hello,
My suggestion is that HG prepares acheck-list of what to do, even as an abstract and send an e-mail to the reseller and direct hosted domains when the upgrade is planed.
Telling them what to prepare and what to do immediately after
whith some cases and some bug resolutions.
This probably will not take more time as a lot of tickets.
Schooling is saving your energy (and CPU). Foster Dulles.
Daniel.

[steveoc]

Okay, for security reasons I had to turn register globals off on a site on a server running phpsuexec. I was told by support to rename the htaccess.txt file to php.ini instead of .htaccess and make the appropriate modifications. I did and my security warnings went away.

I was told by support that the php.ini should carry through to the subfolders. Other sources have have that I need to put a copy of the php.ini in each subdirectory.

I don't want to challenge the support, but I could use a reassurance that I have the Joomla install locked down as I should. This is especially important as it is a school site.

Steve

Quote:

Originally Posted by steveoc

Okay, for security reasons I had to turn register globals off on a site on a server running phpsuexec. I was told by support to rename the htaccess.txt file to php.ini instead of .htaccess and make the appropriate modifications. I did and my security warnings went away.

I was told by support that the php.ini should carry through to the subfolders. Other sources have have that I need to put a copy of the php.ini in each subdirectory.

I don't want to challenge the support, but I could use a reassurance that I have the Joomla install locked down as I should. This is especially important as it is a school site.

Steve

Hello,

You do have to have a php.ini file on each subfolder that needs those php rules. While .htaccess can just be placed in public_html and it's applied to all the subfolders, that won't work with php.ini. Also renaming .htaccess to php.ini will not be a good option unless the code was changed to follow phpsuexec's rules.

[steveoc]

Quote:

Originally Posted by GatorAndre

Hello,

You do have to have a php.ini file on each subfolder that needs those php rules. While .htaccess can just be placed in public_html and it's applied to all the subfolders, that won't work with php.ini. Also renaming .htaccess to php.ini will not be a good option unless the code was changed to follow phpsuexec's rules.

As I suspected. I need that info. I just opened a support ticket. I suspect you will be getting a lot of inquiries regarding this because of security issues with Joomla.

Basically, I need a copy of the server's php.ini, then turn register_globals to off and insert a copy into each directory that has php files--correct?

Thankfully, there is a script--if I can get it to work.

Thanks,

Steve

Quote:

Originally Posted by steveoc

As I suspected. I need that info. I just opened a support ticket. I suspect you will be getting a lot of inquiries regarding this because of security issues with Joomla.

Basically, I need a copy of the server's php.ini, then turn register_globals to off and insert a copy into each directory that has php files--correct?

Thankfully, there is a script--if I can get it to work.

Thanks,

Steve

You do not need to have a copy of the server's php.ini is most of the rules would be disregarded. If you just need register_globals enabled you would just insert the following code on php.ini:

Code:

register_globals=On

Then of course move it to every directory.

[steveoc]

Got it. But I tried to run a script that copies it to all folders:

PHP Code:

<?php 
//*set*this*value*to*Y*if*you*only*want*to*overwrite*old*php.ini*files 
//*set*this*value*to*N*if*you*want*to*put*a*php.ini*file*in*every*directory 
$overwriteOnly*=*"N"; 

if*($overwriteOnly*==*"Y")*echo*"Operating*in*Overwrite*Only*Mode<br><br>"; 
$path*=*"/home/"*.*get_current_user()*.*"/public_html"; 
$source*=*$path*.*"/php.ini"; 
if*(!file_exists($source))*die('Error*-*no*source*php.ini*file'); 
function*search($dir)*{ 
**global*$source; 
**global*$overwriteOnly; 
**$dh*=*opendir($dir); 
**while*(($filename*=*readdir($dh))*!==*false)*{ 
****if*(*$filename*!==*'.'*AND*$filename*!==*'..'*AND*$filename*!==*'cgi-bin'*AND*is_dir("$dir/$filename")*)*{ 
******$path*=*$dir."/".$filename;* 
******$target*=*$path*.*"/php.ini"; 
******if*(!file_exists($target)*AND*$overwriteOnly*==*"Y")*{ 
********echo*"$path*<b>skipped*-*no*php.ini*file</b><br>"; 
******}*else*{ 
********echo*"$target*<br>"; 
********if*(!copy($source,$target))*echo*"<b>Write*failed*for*$target*</b><br>";
********if*(file_exists($target))*chmod($target,0600); 
****} 
******search($path); 
****} 
**} 
**closedir($dh); 
} 
search($path); 
echo*"<br>Done."; 
?>

and I get this error:

Quote:

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/adminwcs/public_html/php-copy.php on line 4

If I can't get this to work or something else to work, I'd have to manually upload ths php.ini to 100s if not a 1000 directories.

Frankly, I am getting very frustrated that I have to go to such measures to secure my site (going on 3 days now). Do you have a server or servers with register_globals off?

Anything would be appreciated. I need to get on with my life!

Steve

[Serra]

Quote:

Originally Posted by steveoc

Frankly, I am getting very frustrated that I have to go to such measures to secure my site (going on 3 days now). Do you have a server or servers with register_globals off?

Anything would be appreciated. I need to get on with my life!

Steve

Yea, using Joomla is looking like a big mistake now isn't it!

Just an fyi, the not equal to operator is !=

[steveoc]

Quote:

Originally Posted by Serra

Yea, using Joomla is looking like a big mistake now isn't it!

Just an fyi, the not equal to operator is !=

Yeah--

Here I am, having worked for months to put together a website using Hostgator and Joomla along with other scripts to make a spectacular splash for my school district, and now--days before school starting--I cannot present a reasonably secure site!

Regarding the not equal operator--I am not there yet. This is a script I grabbed from tips-scripts.com and tried to work. I am am learning though!

Anyone?

Thanks,

Steve

http://wellscsd.com

[Lumis]

Quote:

Originally Posted by Serra

Yea, using Joomla is looking like a big mistake now isn't it!

I would say the mistake more lies with using Hostgator than Joomla..... it was Hostgator that made changes to servers (that have not been posted on here as promised) and our having to check a php info file every day seems to be a frustrating exercise. I can understand making changes to a server, and it is not possible to please everybody on a shared server, but to not inform us when our server is scheduled for an update is poor service.

Our other hosting providers always email us with upcoming server changes, as well as tips on how to deal with any expected issues that may arise from these changes - and although we have had good support from Hostgator before, this has always been a letdown with lack of notifications.

Yes, we have many Joomla sites on our shared server here at Hostgator, and I am not looking forward to the day when our clients inform us of problems when it should have been Hostgator notifying us in advance...

[steveoc]

Well--they finally got it all straightened out and did a very nice job! Kudos to Richard F!

I had found a script to copy the php.ini to my public_html folder with required mods (register_globals = off) and a second script to place copies of the file to each subdirectory. I just couldn't get them to work.

They got them to work and left customized copies for me on the server so I can run them as needed!

All is well!

Steve

[cjnoyes]

Quote:

Originally Posted by Serra

Yea, using Joomla is looking like a big mistake now isn't it!

Just an fyi, the not equal to operator is !=

!== is not equal and Type is exactly the same as != 0 could be confused with FALSE where !== FALSE would not evaluate as true if the value was 0 and not FALSE

[Lumis]

Quote:

Originally Posted by steveoc

Well--they finally got it all straightened out and did a very nice job! Kudos to Richard F!

I had found a script to copy the php.ini to my public_html folder with required mods (register_globals = off) and a second script to place copies of the file to each subdirectory. I just couldn't get them to work.

They got them to work and left customized copies for me on the server so I can run them as needed!

All is well!

Steve

Any chance of a copy of the script?
Cheers

[steveoc]

Quote:

Originally Posted by Lumis

Any chance of a copy of the script?
Cheers

No problem! 2 scripts--the first one copies and modifies the php.ini, then sends the copy to your public_html. Obviously you need to change yourusername. You may also have a different path to the original php.ini (You can find this by running <? phpinfo(); ?>)

Code:

<?php
// Put all the php.ini parameters you want to change below. One per line.
// Follow the example format $parm[] = "parameter = value";
$parm[] = "register_globals = Off";
//$parm[] = "session.use_trans_sid = 0";
// full unix path - location of the default php.ini file at your host
// you can determine the location of the default file using phpinfo()
$defaultPath = '/usr/local/Zend/etc/php.ini'; 
// full unix path - location where you want your custom php.ini file
$customPath = "/home/yourusername/public_html/php.ini";
// nothing should change below this line.
if (file_exists($defaultPath)) {
  $contents = file_get_contents($defaultPath); 
  $contents .= "\n\n; USER MODIFIED PARAMETERS FOLLOW\n\n";  
  foreach ($parm as $value) $contents .= $value . " \n";
  $handle = fopen($customPath, 'w'); 
  if (fwrite($handle, $contents)) { 
    fclose($handle);
    if (chmod($customPath,0600)) $message = "The php.ini file has been modified and copied";
      else $message = "Processing error - php.ini chmod failed";
  } else {
    $message = "Processing error - php.ini write failed";
  }
} else {
  $message = "Processing error - php.ini file not found";
}
echo $message;
?>

The next copies it to all subdirectories:

Code:

<?php 
//*set*this*value*to*Y*if*you*only*want*to*overwrite*old*php.ini*files 
//*set*this*value*to*N*if*you*want*to*put*a*php.ini*file*in*every*directory 
$overwriteOnly*=*"Y"; 

if*($overwriteOnly*==*"Y")*echo*"Operating*in*Overwrite*Only*Mode<br><br>"; 
$path*=*"/home/"*.*get_current_user()*.*"/public_html"; 
$source*=*$path*.*"/php.ini"; 
if*(!file_exists($source))*die('Error*-*no*source*php.ini*file'); 
function*search($dir)*{ 
**global*$source; 
**global*$overwriteOnly; 
**$dh*=*opendir($dir); 
**while*(($filename*=*readdir($dh))*!==*false)*{ 
****if*(*$filename*!==*'.'*AND*$filename*!==*'..'*AND*$filename*!==*'cgi-bin'*AND*is_dir("$dir/$filename")*)*{ 
******$path*=*$dir."/".$filename;* 
******$target*=*$path*.*"/php.ini"; 
******if*(!file_exists($target)*AND*$overwriteOnly*==*"Y")*{ 
********echo*"$path*<b>skipped*-*no*php.ini*file</b><br>"; 
******}*else*{ 
********echo*"$target*<br>"; 
********if*(!copy($source,$target))*echo*"<b>Write*failed*for*$target*</b><br>";
********if*(file_exists($target))*chmod($target,0600); 
****} 
******search($path); 
****} 
**} 
**closedir($dh); 
} 
search($path); 
echo*"<br>Done."; 
?>

Pop them in your public_html. Run the first, then second.

Steve

[riostyles]

Hello,
Any file explorer can do the repetitive work, if interested, I have some for other purposes, just to adapt to this specific php.ini
I UNDERLINE the request to be prepared meaning
a) a check list
b) an early update advise from HG for not to discover about from the clients' end users complaints.

I see there an other problem:
Some php functions: upload, write, imagejpeg etc. when creating the file without PHPSueExec create's a "Nobody" owned file (99) for instance on my server.
A Nobody owned file can not be chmod(ed) nor chown(ed) by the domain owner. The only workaround I found as today is: Download, Erase, upload per FTP, chmod as necessary. The FTP creates domain owned files/directories. Bon appetit.
Have E-commerce domains with thousands of this kind of files.
Somebody have some experience about this last point?

I Have some sites with PHPSueExec elsewhere and I love it.

[Serra]

Quote:

Originally Posted by riostyles

A Nobody owned file can not be chmod(ed) nor chown(ed) by the domain owner. The only workaround I found as today is: Download, Erase, upload per FTP, chmod as necessary. The FTP creates domain owned files/directories.
Have E-commerce domains with thousands of this kind of files.
Somebody have some experience about this last point?

It would be far easier just to ask support to use root to chown and chmod all of the files for you. They can do that very quickly.

[Lumis]

Quote:

Originally Posted by steveoc

No problem! 2 scripts--the first one copies and modifies the php.ini, then sends the copy to your public_html. Obviously you need to change yourusername. You may also have a different path to the original php.ini (You can find this by running <? phpinfo(); ?>)

Cheers Steveoc

[SimplyBea]

Quote:

Originally Posted by steveoc

Well--they finally got it all straightened out and did a very nice job! Kudos to Richard F!

I had found a script to copy the php.ini to my public_html folder with required mods (register_globals = off) and a second script to place copies of the file to each subdirectory. I just couldn't get them to work.

They got them to work and left customized copies for me on the server so I can run them as needed!

All is well!

Steve

So I have to have a copy of each of these scripts in my public_html directory?

What do I name them???

more than ever before...........

[steveoc]

Quote:

Originally Posted by SimplyBea

So I have to have a copy of each of these scripts in my public_html directory?

What do I name them???

more than ever before...........

It really doesn't matter that much--unique names that pertain totheir function.

custom-copy.php, dulicate.php, whatever..

Then you would type in your browser address bar:

yoursitename.com/custom-copy.php

That will run the script.

Steve

[SimplyBea]

Steve

Thank you!

So I SHOULD get a copy of those files up into my public_html directory ASAP!!!???

cheers

[steveoc]

Quote:

Originally Posted by SimplyBea

Steve

Thank you!

So I SHOULD get a copy of those files up into my public_html directory ASAP!!!???

cheers

The sooner you do it, the sooner your site will be more secure.

Of course, some scripts/software/addons/packages may not run without it, but you should consider finding alternatives as ones that require it on pose a security risk!

Steve

[Serra]

Quote:

Originally Posted by SimplyBea

So I have to have a copy of each of these scripts in my public_html directory?

What do I name them???

more than ever before...........

You can keep scripts you don't want just anyone to run in a password protected directory. This helps. cPanel allows you to create password protected directories.

[DaveW]

Has this been implemented on Gator39 (shared) yet?

[Serra]

You can tell by looking at PHPINFO.

[fuzzfree]

Could it be possible to email all resellers on the servers prior to enable phpsuexec??

That's really poor service from the part of Hostgator - phpsuexec is a bit of trouble with many scripts and enabling this without notification it is going to cause problems and lead to angry customers.

Thank you.