Skip to main content

Configuring Joomla Safe Mode on a Plesk box

At Cadent, we use Parallels Plesk Control Panel Software for Hosting on our servers (we’ve also used the open source Webmin and the commercial CPanel). Plesk has a great user interface, which our clients appreciate. It also imposes its own way of doing things, which can be a bit of a pain when tracking down subtle issues with server configuration. Because Plesk rewrites many configuration files automatically, it’s really critical to ensure that I make any manual changes to the server configuration in the right place, or Plesk will overwrite my efforts without remorse. The issue we needed to address was this: we installed Joomla! 1.0 on our development server, and Joomla reported the following configuration problems:         •        Safe mode was on, needs to be off.         •        The session directory was unwriteable. PHP: Safe Mode is a global setting allows only a file's owner or group to execute the script or read a file. Clearly, this is a good thing for security reasons, but it is now officially deprecated in PHP 6, since it is not "architecturally" correct. Nevertheless, Joomla 1.0 wants it off. Since the server hosts multiple domains, we don’t want to turn off safe mode for the entire server, by changing the settings in /etc/php.ini. Instead, we want to implement it “locally,” as Joomla terms it. In Joomla 1.0, you can compare the local and master settings for PHP on the PHP Info tab, available from the administrator interface via System > System Info. The session directory issue was also thornier than expected. After logging in as root and changing the permissions for the specified directory, and restarting Apache, Joomla still refused to recognize the changed status of the session directory -- even though I could see Joomla writing session files to the specified directory! I logged in to the bash shell via ssh to check the directory permissions. A simple bash command lists permissions by file: # ls -lh /var/www/vhosts/ ... drwxr-xr-x 9 ftplogin psacln 4.0K Mar 11 10:42 administrator drwxrwxrwx 2 ftplogin psacln 4.0K Mar 11 10:42 cache -rw-r--r-- 1 ftplogin psacln 103K Mar 11 10:42 CHANGELOG.php drwxrwxrwx 18 ftplogin psacln 4.0K Mar 18 02:52 components ... The user name “ftplogin” is the account that uploads & maintains the file via FTP, and “psacln” is the Plesk group for ... something. Anyway, neither of these are “apache” and that’s the account that needs to execute the PHP scripts for Joomla to run. At first, I thought there might be some conflict with PHP’s openbasedir (see the PHP: Safe Mode - Manual for details) but after checking to ensure that the session directory was in the openbasedir path, we determined the problem was elsewhere. Since openbasedir is associated with Safe Mode in PHP, it made sense to try to fix the Safe Mode issue first. At first glance, this seems the perfect opportunity to use .htaccess files, but for some reason, this didn’t work. I turned to the Apache configuration files. The master configuration file, in /etc/httpd/conf/httpd.conf, is certainly not the place to make local settings changes. Plesk stores domain-level Apache configuration settings in /var/www/vhosts/<domainname>/conf/httpd.include but this isn’t the place to make changes either, as noted in the file header: [ ~]# cat /var/www/vhosts/ | head -8 # ATTENTION! # DO NOT MODIFY THIS FILE OR ANY PART OF IT. THIS CAN RESULT IN IMPROPER PLESK # FUNCTIONING OR FAILURE, CAUSE DAMAGE AND LOSS OF DATA. IF YOU REQUIRE CUSTOM # MODIFICATIONS TO BE APPLIED TO THE CONFIGURATION, PLEASE, PERFORM THEM IN THE # FOLLOWING FILE(S): # /var/www/vhosts/ # /var/www/vhosts/ # /var/www/vhosts/<subdomain-name>/conf/vhost.conf Note that I’ve substituted the generic “” for our actual domain name. Since we are staging the site in a subdomain, I looked into the last option. After some difficulty, like the malformed config file that I wrote that prevented Apache from restarting, I succeeded with these steps:         1.        Create a vhost.conf file with the correct directive in the specified directory.         2.        Tell Plesk about the new vhost.conf file.         3.        Restart Apache. Those steps, executed correctly, fixed both the Safe Mode and the session directory issues. Here’s what I did at the command line, logged in as root (using ssh, obviously!) Create vhost.conf file Create the new file. [root@server ~]# nano /var/www/vhosts/<subdomain-name>/conf/vhost.conf Enter: <Directory /var/www/vhosts/<subdomain-name>/httpdocs> php_admin_flag safe_mode off </Directory> Save & exit. Tell Plesk about the new vhost.conf file [root@server ~]# /usr/local/psa/admin/sbin/websrvmng --reconfigure-vhost Restart Apache [root@server ~]# /etc/rc.d/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] Finally, check the settings in Joomla (System > System Info) -- all set!


Krick said…
Thanks for all the information, but how, exactly, does adding "php_admin_flag safe_mode off" to vhost.conf solve your session directory issues? I don't see the connection.

I'm having the same session problem, and at the moment, it looks like my options are:

1) Edit php.ini and change...
session.save_path = /var/lib/php/session/
session.save_path = /tmp/
...because tmp is one of the default directories that apache can write to in Plesk.

2) Create a vhosts.conf file with php_admin_value open_basedir and add /var/lib/php/session/ to the end of the line.

There's more info here...
Neil Johnson said…

Thanks for your comment (above). I don't know if you are working with Joomla 1.0 or some other app (you include a link to Sugar CRM). The interaction between PHP Safe Mode and your app is quite specific to the application. For example, Joomla 1.5 doesn't even care about PHP Safe Mode, so the usefulness of these settings can change from version to version.

Having said that, I'd strongly recommend that you make all your configuration changes in a vhosts.conf file, instead of editing php.ini. The php.ini file, as you probably know, controls the global PHP configuration for your entire server, so any change you make here have security ramifications for your entire server. If you restrict your changes to a specific domain's vhosts.conf file, you are only risking the security of that domain, not the entire server.

Note that a change to the vhosts.conf file is a change to the Apache server settings, and if there is an error in the file, it can bring your entire web server to a stunning, crashing halt. So, test plenty, keep backups, and in a pinch, you can always rename vhosts.conf to something else (like vhosts.bak) and restart Apache to restore your original settings.
Krick said…
I'm using Mambo. I ended up making all the changes in my vhosts.conf file. Note that I only have display_errors on because I'm debugging an error. I usually have it off..

<Directory /var/www/vhosts/>
php_admin_flag safe_mode off
php_admin_flag magic_quotes_gpc on
php_admin_value session.save_path /tmp
php_admin_flag allow_url_fopen off
php_admin_flag display_errors on

Popular posts from this blog

Virus scan Windows using a Linux live CD

[There's been quite a bit of interest in this post and I've expanded on it quite a bit. Please post any comments or questions to help me improve this guide. - Neil] Keith and I have both run into situations where we want to recover a Windows computer by cleaning it up with a Linux Live (bootable) CD distro. This offers several advantages to cleaning up an infected or compromised computer by booting into Windows: It prevents the malware, if it exists, from jumping from the infected computer or partition we are trying to fix to the repair partition or boot medium.If we boot from a CD, there's actually no way to alter the boot medium, since it's read-only. Naturally, we started with Knoppix -- download it here. Installing and scanning with F-Prot is covered in this discussion thread, Virus Scan from LiveCD, which describes how to install F-Prot from the command line using apt-get. Also, In Knoppix 5.1, you can boot from the Knoppix CD and install F-Prot wi…

1Password on Ubunutu

One of the biggest barriers preventing me from using Ubuntu as my primary desktop OS used to be my favorite password manager, 1Password. I use it on the Mac, Windows, iOS, and Android and couldn't really function without it.

For a while I could use it on any computer running a web browser using the 1Password Anywhere browser only implementation, with Dropbox. But Dropbox no longer supports that option (not sure why, but that's the way it goes).

I was thrilled to discover that 1Password 4.6 for Windows runs quite reliably on Ubuntu via Wine. Even better, the Browser Helper program also runs on Wine, which means I can also use the nifty browser add-ons to auto-fill web logins.

Installation was super easy. I installed Configure Wine from the Ubuntu Software app, and just like that, I could run Windows applications. I then followed the excellent instructions on the Agile Bits support site, Running 1Password for Windows on Linux systems. It worked just as advertised, and now I am …

Joomla 1.5 Directory Status: Writeable

[UPDATED] Joomla 1.5 is acting flaky on one of our installations because the directories are set to ‘unwriteable’. To see the their current state, log in as Super Administrator and go to Help > System Info > Directory Permissions. Elsewhere, it's been suggested that the specified directories must be set to “world-writeable” (777). This works, but it is a very bad idea, since it means anyone can change your files! Not cool. Fixing Security with User and Group Settings To perform these changes, you need shell (command line) access to your server. If you don't have it, you can beg your host to make these changes for you, or switch to a Joomla-friendly host. I'm going to assume that you are using a LAMP (Linux/Apache/MySQL/PHP) server because if you're not, then ... well, these instructions should work in principle, but the specifics for your server may be quite different. Here's the issue: you, the FTP user, need full access to your files. So does Joomla, wh…