Serious Safe Mode Discussion

here

Does anyone have a link to a page explaining why safe_mode is a stupid thing?

My ISP desperatly klings on to the idea that it is for security reasons, and won't budge.

Mostly that text didn't have much to do with safe mode.

I want to get gallery (1) working with safe mode on.

Reading the various docs, I think it should be possible doing the following?

- I use netpbm and put the binaries into a /bin situated one level above /httpddocs
- chown all gallery files to apache user
- chown the binaries to apache user
- safe_mode_exec_dir set to this /bin in the vhosts file
- create /tmp one level above /httpddocs
- chown /tmp to apache user
- phpupload_dir set to the /tmp in the vhosts file
- 2 additional openbasedirs for our /tmp and /bin

comments?

It is a shared environment.

There are other scripts than gallery there (phpBB2, Postnuke, etc.).

cgi is disabled - I need a secure server - I have already been hacked 3 times.
I made /tmp noexec, installed mod security, restricted a lot of system tools to root.

I have also been thinking about fastcgi. Still exploring the implications for Plesk 7.5.3, which I use to manage the server.
Using fastcgi would make safemode run without problems right?

I was wondering if you meet your goals by not supporting safe-mode enabled servers.

Portable
G2 will work on any PHP platform and support a wide range of data processors (eg, image toolkits) and all the popular database solutions.

I don't think it is a matter of interpretation because any php platform having safe-mode enabled is still a php platform. Perhaps you could say that because of certain settings some functionalities might not work but that is not very nice. Aren't there lots of applications that are able to run with safe mode enabled? If so, then why can't an uber-app like gallery2?

Anyway, now you are closing in on the release of gallery2 I think you can give us a clue if someone here is going to make a work around for safe mode?

hello...
I am having a problem with the safemode thing also with SMF forum and a guy said this:

"If you're under an Apache environment that has this option enabled, but you're on shared hosting so have no access to php.ini, you can unset this value for your own site by placing the following in an .htaccess file in the root:

php_flag register_globals 0

The ini_set() function actually accomplishes nothing here, since the variables will have already been created by the time the script processes the ini file change.

And since this is the security chapter, just as a side note, another thing that's helpful to put into your .htaccess is:

<Files ".ht*">
deny from all
</Files>

That way no one can load .htaccess in their browser and have a peek at its contents."

What do you guys think about this? ... And how can one do this?
I really wouldn´t like to change server after all the work I had to install my forum and Mambo (They were very helpfull than)

brasileira: nonsense. you can't change safe mode on to off with .htaccess.

davil: there are a lot of great providers which set safe mode off, because they understand that's it tries to solve the problem on the wrong level. just switch the provider.
fact is, that we already have the largest user base among all gallery software products with Gallery 1.x and it also requires safe mode off. Soon most will have switched to g2. and since users want g2, providers will understand what to do, when users start switching to providers that offer safe mode off.
but yes, since you read this thread you know that we not categorically deny looking into a php safe mode enabled compliant G2. it's just a low priority task compared to some of the other 500+ requests we have.
i'd find it quite cool if we could make that happen, but we all have only a certain amount of time that we can spend on working for g2 a week.

uh, nice ad. we have a separate forum for such things.

reiterating myself...
Use apache2 + PHP-fastcgi + suexec + chroot jail and you'll have a shared webhosting solution which is very secure.

@recent exploit: open_basedir would lead to about the same security as safe_mode for this issue.

again, users with dedicated hosting and users with (fast)cgi+suexec+chroot jail are on the safe side.
we found safe_mode to have too many restrictions to be practical and safe_mode being a security measure on the wrong level is a wildly discussed topic, not just here on gallery.menalto.com.
solve the security problem with suexec + chroot jail. php-fastcgi hasn't the drawback of php-cgi being slow / driving the CPU load up, it just requires a little more RAM.

@register globals = off: was never an issue in G2

what community would that be? ISPs that ignore alternatives to PHP safe_mode? security is not an issue with G2 if the webserver is configured properly.

that being said, we welcome any patches to G2 which allow the operation in a safe_mode enabled environment. we plan to offer sooner or later a light version of G2, maybe just a G2 with some features disabled, which will work with safe_mode. but we are very busy and are working on other issues and features at the moment.

Good suggestions. But this is like saying, "Hey, our car doesn't have an airbag, and yea, all the other cars nowadays have airbags, but it's no big deal if you wear a helmet and a thick padded suit while you drive. It's just as if our car did have an airbag."

It's still an excuse to compensate for flaws in the program design that compromise security. Of course there are work-arounds. But safe mode is not an insignificant setting, and that should be obvious when you consider that you'd need a half-dozen other systems installed to emulate a similarly secure environment!

Even the developers of PHP acknowledge (as paraphrased in this thread) that operating in non-safe-mode is just plain foolish. You cannot get any respectable programmer to not agree on this point.

I understand you all have to defend your application, but let's be honest. If your app ran in safe mode, you would be on my side of the argument in a nanosecond, and you know it. You know it's bad news that the program needs safe mode disabled. You know that any little bug discovered becomes exponentially more dangerous because of this requirement.

G2 badly designed? i'm not the author of g2 but i'm amazed by its design. i guess you're just referring to the "flaw" of not to work with safe_mode on. and that was a design decision after evaluating alternatives.

safe_mode is also a work around. among the alternatives, i'd always use fastcgi+suexec+chroot jail for shared webhosting.

please submit a safe_mode on patch for G2, that would be constructive criticism.

i agree that there are lots of mod_php (non suexec), non-safe_mode g2 installs out there and they risk to lose their album data due to other scripts by other users on the same server and they risk to be a threat to other users on the same server if there was a really bad exploit for g2. and i don't like that fact.
i myself am hosted on a shared webhosting plan offering cgi, suxec for few money. and i recommend that to everyone. i strongly believe that safe_mode is just an alternative and depending on what applications you'd like to run, you should choose a webhoster that can run in safe_mode off.

we would like a G2 version that works with php safe_mode on, yes. but just because we would like to get rid of as many requirements as possible.
run G2 not without suexec and you're security concerns are null and void.

you as a programmer and ISP that is interested in hosting G2 installs could submit a php safe_mode patch for G2.
you as an ISP could switch to fastcgi+suexec+chroot jail and also be happy.
we as the developers of g2 could spend time investigating alternatives for all features and sublayers of G2 that require safe_mode on. but as i said, we're not that unsatisfied with the current situation concerning safe_mode that we'd prioritize it higher than our current tasks.

I appreciate where you're coming from.

Unfortunately, while I can see the value of trying to hack the code to operate under safe mode, the reason I came here was to avoid having to do it myself.

In any case, as I said before, it is impressive how far you all have come, and it seems like the product is well supported and feature laden. I look forward to seeing how it evolves in the future.

As for the "work arounds", one thing you forget, is the more disparate systems you have to implement, such as suexec, fastcgi, chroot, etc., the more complicated the install becomes, the more things you have to monitor for vulnerabilities, the more areas that can fail, etc. The first rule of security is to keep things simple, and the less windows & doors you have in your house, the less entry points.

Safe mode is not the be-all end-all of php security. We know that, but it is a substantive part of a secure php-based system.

And this is the post where I pick apart your posts.

Wow, several thousand customers. Search google for something like "powered by gallery" and you'll turn up possibly hundred's of thousands of sites using it, from around the world. And your a programmer? What did you write? I'm interested, is it closed source? There were never *any* security issues found in it? "Editor's Choice"? I think Gallery has won some "awards" too, but I'm to lazy to figure out what they were, it really doesn't mean a whole lot though.

I once worked for an ASP like this. You know why *they* did it (and most other providers, imho)? To sell more dedicated servers. And it is only 100% bad news for an ASP that doesn't know how to setup a secure shared hosting server. A little more work? Maybe. But you sure as heck provide a better product to your customers.

You are being redundant, have you read this whole thread? Did you bring up *anything* new? Have you read some of the info on why safe mode itself is foolish? I've not seen any valid ways of making gallery functional with safe mode enabled, why don't you point them out. Yes, its very ironic that you find a security vulnerability. Ironic becuase on any server using chroot and/or proper permissions, the "exploit" doesn't allow anything. If any server you setup allows "the ENTIRE SERVER AND ALL USER ACCOUNTS AND DATA" to be compromised *just* because safe mode is off, you have done a very very bad job of setting up a server. You should hire someone who knows how to do it properly and learn from them.

Does an entire thread that is STICKY seem "casual"? It was discussed in depth and no one who *wanted* safe mode could step forward and help the team accomplish that goal. A bunch of people with demands and requirements, but no one to actually step up to the plate. Sound familiar? Of course, at least most of *those* people didn't step in and start insulting the team and the project. And distract people? If you tell me that your window absolutly has to have double steel bars and a keyed lock, then I point out that your FRONT DOOR IS OPEN... is that a distraction? No, its pointing out the obvious to people who just don't notice that their door has no lock on it. The point is, its totally obvious we care about security. Did you notice the security fix? So its obvious that security is a huge concern in G2. Maybe what you don't understand is that safe mode does NOT translate to "secure" in any shape or form. Have you even installed or tried out G2? Reviewed any of the code? I doubt it.

Obviously you do mean to disrespect, you posts are full of insults and offer no advice or solutions. Just insults. Great job. Its already been covered and proven that security is a major concern for G2. What you fail to prove is that safe mode is even a worth while security precaution. I don't think you need to doubt the experience of the devs, you could review the code and see how methodical and careful they are with G2.

The right ISP is more secure with *or* without safe mode than anything you have discussed. You obviously have no grasp on how a server should be setup, in theory or practice. A chroot'ed webster eliminates the possiblity of *ANYONE* causing problems with any other part of the server, and running scripts as the user of the site prevents them from accessing anything which has proper permissions. Combined, this makes a double wall that is near impossible to break. This is proper security. Want to throw in safe mode on top of it? All you do is make things harder on users that care and no safer for users that don't. If you think that safe mode protects your server from allowing access to other sites, you are quite frankly nieve. Sure, it may stop PHP. But it doesn't stop anything else. Either you believe in security and you setup your server right, or you don't and simply use safe mode. See? I can come up with stupid phrases that aren't true but sound menecing.

You are dead on here. On a poorly secured server with a badly designed web application, you are opening yourself to a world of hurt. I'd never host on a server like this, and a poorly secured server with safe mode *on* is still a poorly secured server. Even on a dedicated server its bad news, you could loose precious data and uptime. Security is important, on a server level and on an application level. I'd say thats why G2 takes security on the application level *very* importantly and leaves the server security up to the competent hosts.

Even with safe mode on, when a security flaw is found, data can still be explosed, exploited and/or manipulated. On a poorly secured server, it *might* stop them from causing issues with other people... but it could just as possibly allow the hacker to install a cgi script and use *that* to walk over to all the other customers. Since this poorly secured server obviously wasn't setup properly using chroot or at the very least, good permissions... they are able to still get around safe mode. Security or speed bump? You decide.

I've seen this problem too, most frequently with phpbb and/or postnuke (because they are more popular than G1/G2), but older versions of G1 definatly has some security flaws. You could check your logs for referers from search engines where they were searching for specific versions to find you. Even with safe mode, nafarious people (not just spammers!) can seek out and abuse your site. Safe mode doesn't stop it.

No, its nothing like that at all. You have simply failed to grasp the underlying issue. Using your car and airbag analogy, its more like saying "Hey, YOUR car only has a passenger side airbag. We suggest you install a driver side airbag too. Some side curtain and even rear seat ones would be a good idea too... but we will still put you in a helmet and padded suit to be safe." In this case, the passenger side airbag is safe mode. Driver side airbag could be considered permissions, side curtain airbags perhaps chroot. I dunno what the rear seat airbags could represent, perhaps a competent sys admin?

It is no excuse, G2 would not be able to do 80% of what it does with safe mode enabled. It is as simple as that. The choices are limited functionality with safe mode or full functionality w/o safe mode. Thats it. Want to help us enable that limited functionality? Join the project and help. Perhaps donate a huge chunk of change and fund a developer to start caring about your issue. Until then, make your suggestion and stop being an asshole. There is even a feature vote page, and not only is safe mode no where near the top... I'm not even sure if its something anyone has requested in the RFE system. So double check, if it isn't there... add the request. If it is, vote for it. Whats funny is that I got the impression that the PHP developers acknowledge that safe mode is foolish, and I already know plenty of respectable programmers that agree with *that*.

Do you see the part that says "the biggest problem with safe mode is that people use it"? Doesn't sound like the guy who FOUNDED PHP thinks highly of safe mode, does it?

Obviously what we don't understand is YOUR need to attack the programmers, software, users, admins and supporters. If our app ran in safe mode, none of us would use it. So we still wouldn't be on your side, we would just be using something else. Any little bug in G2 is only dangerious to servers where the sys admin doesn't have the brains to properly set it up.

OMG are you telling me that you are such an asshole that you didn't install G1 or G2 before you started insulting us? G1 gives a big ol' warning if you install on a server with register globals on. I don't recall if it even lets you continue with the install in this case, but I won't make any promises because I haven't used it in a while. I've no clue on if G2 cares, but I suspect it does.

Way to insult an entire project w/o doing *any* background work of your own. Btw, the software you wrote sucks. And all your servers are easily owned. How do I know all this? I don't, I'm just saying it. Sound familiar?

I'd take your own advice. Read up on security, then go out and study the industry. It might help you figure out what is "industry standard" and what is something that hosts latch on to as a security feature, but which ends up driving some customers away. If these problems could be fixed in as much time as it takes to make up excuses, they would have been. Come on, do you *really* think G2 doesn't support safe mode because they think its a silly security measure? No, its because it *IS NOT* easy to work around for this application. Think about what it does and how, and you'll realize this. If its so easy, do it yourself (and do it up to G2's coding standards, if you even can) and submit it as a patch. You know what? If you need help, we'll be there for you. You can get help doing it from the devs themselves via IRC or these forums. I bet even though they'll read this and think you are an ass, they'd still help you because they would *love* for G2 to work in some form (be it limited or fully function) in safe mode. I think you'd also be surprised to find that you are the first person who has thought of the G2 devs as "script kiddies".

In other words, all you can do is degrade and insult. You have no actual skill to provide, either in coding or securing your own server. Awsome!

Thanks, I think this is the nicest thing you've said. G2 does have a lot of features and is well supported. Unfortunatly, with out people like you who actually care strongly about safe mode, it will take a long time for it to be supported. What we need is a developer who feels strongly about safe mode and makes it work. Not a few people (this thread is only 2 pages long!) who wish it were included but can't actually offer any help what so ever.

This is both true and untrue at the same time. Just saying that a server with more "stuff" on it is less secure is a stereotype, it can be true but it might not be true at the same time. Is running just apache more secure than running apache and iptables to help secure it? Is running apache, mysql, smtp and ftp less secure? What if you throw in some snort? What if you chroot jail all of those applications? There are no "rules" to security. Keeping things simple certainly isn't one of them. Its simpler to just run apache, but it sure ain't secure. Its simple to run wu-ftpd, but that sure isn't secure. Security is an all around approach. Adding more "things" can and WILL make you more secure if they are the right things. This means picking secure software, secure settings and when possible wrapping them in even more security!

You are right, safe mode is not the end all be all of php security. What you haven't come to realize yet though is that its not really a "substantive" part of it either. There are smarter, far more secure methods of securing PHP, that at the same time secure *everything* else.

This was a long post, and I was probably mean to you in parts of it. If you are offended, it doesn't really bother me because you offended me. My final suggestion is to simply put up or shut up. I'll be happy to see you post on another unrelated subject, and would even happily help you resolve any G2 issues you might have. I'd also be happy to see you work on getting G2 working in safe mode, because while it isn't the #1 requested feature... it is one of the recurring support issues in the forums. Our response now is to find a better host, but wouldn't it be great if we could say "hey, try the safe mode version and if you don't like the limitations, THEN find a better host!"
_________________________________
Support & Documentation || Donate to Gallery || My Website

Don't mistake our lack of safe_mode support with a lax approach to security. We take security very seriously. But the type of problem that Gallery attempts to solve is incredibly difficult to do without being allowed a fair amount of discretion, including running executables for image manipulation and managing our own time limits. It is grossly unfair to us to assume that we've simply overlooked safe_mode and that there's a quick fix that we can make to support it.

Remember that our focus is to write the best, most full-featured Gallery product that we can because that is what our users want. Security is something that we developers care about, but even in today's climate it is barely a blip on the radar of 80% of our users. They want it fast, easy, with many features. They take it for granted that we'll give them a secure product. So if we rip out features because of safe mode, or make the install much harder, etc then they'll go use something else. In my experience with this situation, ISPs get mad at Gallery because their users are demanding that they turn off safe mode so that they can use it. I appreciate that this puts ISPs in a bad situation because they don't want to lose business, and they don't want to turn off safe mode because it is a convenient, but limited way for ISPs to guard against poorly written scripts.

As I've also mentioned in the past, we were not going to make safe mode support an integral aspect of the G2.0 release, but we would revisit the issues for future releases. So here are the issues that I outlined in my first post, with some additional details:

• We can't use exec() limiting our toolkit support to GD which perpetually runs afoul of memory limits and doesn't support image rotation.
• We can't maintain our own time limits, which means that PHP will cut off long operations in the middle which will eventually lead to very difficult to solve database integrity issues.
• The webserver user must own the g2data directory in order for us to create subdirs under many common safe_mode configurations, which we do not have a solution for

It's not a long list; I'm probably leaving something off of this. Again, it is very easy to take a quick look at the product and criticize our lack of thought on this, but in order to really advance a convincing argument you'll have to help us come up with a real solution. I've spent several years trying to figure out ways around these issues and while I have some thoughts on how we could fix them, I don't have any solid solutions that will cover the 80% user base.

I will not personally be making a push to resolve this alone because I choose to prioritize the needs of our current userbase (which clearly does not include anybody who has the safe_mode restriction). However, I welcome and encourage anybody who has solid solutions for this problem to step up and help us solve it. If you meet us half way, we'll make it happen.

just an explanation:

php_flag engine off
Action php-script /interpreters/php-script
AddHandler php-script .php .php4 .php3 .inc
php_value magic_quotes_gpc off

doesn't disable safe_mode. these instructions tell apache (the webserver) to use a php-cgi installtion which is installed in /interpreters/php-script instead of the normal (mod_)php. thus, it disabled safe_mode by using another php installation which is probably run under your user instead of the global webserver user.
so this specific solution only works for you and users on the same host as you are.
other users might have to upload php-cgi or it might not work at all for them.

to your question:
this will get really offtopic if we try to solve your problem here. please open a new topic in the g2 installation forum. also, provide the errors you're getting as well as the php.ini path (found in <?php phpinfo(); ?>) in the new topic.

The point of open source is to make our years of work available to everybody so that they can do whatever they want with it. It's entirely free to you in every way that counts. The point of open source is that anybody can fix this problem. Unfortunately, as this thread (which has been going on for years) can attest, it would appear that the world expects us to fix this problem. But we don't see it as a problem, and until we do we're not going to dedicate our extremely limited time to it. Instead we give this code away for free so that any of those 17,000 people could change it. Any of the ISPS who complain could change it. Any of the 80,000 members of this website could change it.

Why won't somebody else step up and commit some time to this? Why must everybody demand that we do yet more work for them instead?

You could construe the tone of this comment to be arrogant and condescending. I hope that you don't. What I'm trying to express is the fact that I personally have donated many thousands of hours of my life to providing a free, high quality product to the world. I do not expect a dime in return. This is pure philanthropy. There are many others just like me who have spent just as much time on this. Because we are the ones who are giving so generously of our time, we get to decide where spend it. Anybody who is willing to step up and donate some time has an equal say in the direction of the project and the product. That is the power of open source.

I'll reiterate my prior offer: even though this is not a critical issue for us we will dedicate more of our time to helping anybody who is willing to work on it with us to resolve it to everybody's satisfaction. In my last post I outlined the issues that need to be solved.

Who will step up?

I was just about to offer the webspace that I use that has safe-mode enabled on it for a testing grounds for probable solutions. But then I realized when 2 posts in a row seemed to come from holier-than-thou snot-nosed techno-geeks, I reconsidered. I can now see why nobody wants to help any of you with your problems.

I've found better software.

Thanks anway!

I'd be interested in knowing what software you picked, it would give us something to point people stuck with safe mode a good alternative besides switching to a host that doesn't use safe mode. And as valiant said, its not a testing environment that is lacking. It is a lack of developers who want to spend their time adapting G2 to work in safe_mode. So if you could have done that, its a shame to see you leave.
_________________________________
Support & Documentation || Donate to Gallery || My Website

Glad to see that PHP developers have finally realized how utterly useless and annoying safe mode is. Let's hope they actually incorporate those changes

The Oldiesmann
SMF Support Specialist
SMF+G2 Integration Project

http://codex.gallery2.org/index.php/Gallery2:Security

@storing the images in the database
of course you can do that but storing a large amount of binary data which is retrieved highly frequently will have a large impact on the server load of the database server. the database is usually already the bottleneck for php/db applications, the same goes for G2. so this practise is strongly discouraged, not just by us.

@other safe_mode restrictions:
please submit patch(es) for G2 and we'll happily look if we can use them to have a G2 flavor that runs with safe_mode on.

but the main point is that if you are really concerned about security, you shouldn't rely on php safe_mode. Use php-fastcgi + suexec + apache2 + chroot jails to create a secure environment for your customers.
http://codex.gallery2.org/index.php/Gallery2:Security#What_about_PHP_safe_mode.3F

i guess coppermine works with safe_mode on, maybe plogger too

I've read the whole discussion!
Why don't you make a "non-secure" version of Gallery, which would work even with safe_mode on?

I'm desperately looking for another gallery, but no photo gallery is near as good as Gallery! I've tried Coppermine, which seems to be the next most popular, but it's not half as good as Gallery!

Please reply if someone knows an almost as good gallery out there!!!
/Rasmus

I would love to see somebody make a version of Gallery that works with safe mode enabled. If you're interested, please contact the dev team.