0

I am wondering why is the default value of the PHP safe_mode ON in PLESK. I suspect it is a security issue but how exactly is this useful?

p.s. As an inexperienced web-developer I spend some hours wondering why the .php files were downloaded instead of run on my server. The reason was that this php default safe_mode was ON and I found the solution by just making random reasonable looking changes to the settings of the plesk control panel. By asking this question I want to find consolation for the frustrating time I lost on this ridiculous problem. For me not to run .php files by default and not explicitly explaining why they don't work is just dumb.

Chris Martin
  • 30,334
  • 10
  • 78
  • 137
chosta
  • 448
  • 10
  • 19
  • 1
    I don't mean to be rude, but isn't this a question for Plesk support? http://www.parallels.com/support/plesk/ – Peter Bailey Apr 29 '09 at 15:15
  • I thought so. But i suspect it could be an issue in other CMS platforms. I know that SO has experienced users who could supply comprehensive answers on PHP related topics... And as far as I know SO is about the community and about other peolple benefiting from questions/answers. – chosta Apr 29 '09 at 15:20

1 Answers1

2

The problem you have with your files being displayed instead of executed is independent of the setting for safe_mode.

safe_mode is crucial to ensure that your scripts can't perform potentially unsafe operations that might allow a hacker to break into your server.

It sounds like you've managed to randomly changed the setting that actually links .php files to mod_perl so that they run correctly, but if you don't know what you're doing you really should turn safe_mode back on.

Also, as a general rule of thumb when debugging problems: only change one thing at a time and then test between each change. This will help eliminate spurious assumptions about which change actually fixed the problem...

Alnitak
  • 334,560
  • 70
  • 407
  • 495
  • I did it one change at a time :). But this was a desperate move. I usually try to find more rational solutions by myself. Then Google, then forums, then Help file(never helped) and at the end just random actions of despair... – chosta Apr 29 '09 at 15:26
  • 1
    safe_mode is an ugly hack, that prevents multiple users on a shared host from messing with each other. If you run your own server, there is no reason to have it turned on. This answer is right though - It's *not* the reason why you php-scripts aren't being processed. – troelskn Apr 29 '09 at 19:15
  • 1
    even on a dedicated server it has its uses. I've seen a server p0wned because the PHP developer did "include $_GET['page'];" without safe mode (and allow_fopen_url on, too) – Alnitak Apr 29 '09 at 20:23
  • @toelskn - actually, PHP is an ugly hack, and I say that as someone who's written quite a lot of it... – Alnitak Apr 29 '09 at 21:55