Tuesday, May 3, 2011

PHP safe_mode default value in PLESK 8.4 is ON. WHY?

Hi, I am wondering why is the default value of the PHP safe_mode ON in PLESK. I suspect it is a security issue but how exactly is this useful?

p.s. As an inexperienced web-developer I spend some hours wondering why the .php files were downloaded instead of run on my server. The reason was that this php default safe_mode was ON and I found the solution by just making random reasonable looking changes to the settings of the plesk control panel. By asking this question I want to find consolation for the frustrating time I lost on this ridiculous problem. For me not to run .php files by default and not explicitly explaining why they don't work is just retarded. Or maybe I am retarded ...

From stackoverflow

  • The problem you have with your files being displayed instead of executed is independent of the setting for safe_mode.

    safe_mode is crucial to ensure that your scripts can't perform potentially unsafe operations that might allow a hacker to break into your server.

    It sounds like you've managed to randomly changed the setting that actually links .php files to mod_perl so that they run correctly, but if you don't know what you're doing you really should turn safe_mode back on.

    Also, as a general rule of thumb when debugging problems: only change one thing at a time and then test between each change. This will help eliminate spurious assumptions about which change actually fixed the problem...

    chosta : what I should do is read about safe_mode. thank you.
    chosta : I did it one change at a time :). But this was a desperate move. I usually try to find more rational solutions by myself. Then Google, then forums, then Help file(never helped) and at the end just random actions of despair...
    troelskn : safe_mode is an ugly hack, that prevents multiple users on a shared host from messing with each other. If you run your own server, there is no reason to have it turned on. This answer is right though - It's *not* the reason why you php-scripts aren't being processed.
    Alnitak : even on a dedicated server it has its uses. I've seen a server p0wned because the PHP developer did "include $_GET['page'];" without safe mode (and allow_fopen_url on, too)
    Alnitak : @toelskn - actually, PHP is an ugly hack, and I say that as someone who's written quite a lot of it...
Posted by Mu Cat at 9:15 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)