PHP SAFE MODE Restriction in effect.

M

mikeyg6754

Verified User
Joined
Jan 23, 2012
Messages
20
Hello, I am getting an error when using php $_SESSION. I get the SAFE MODE Restriction in effect message, but I've turned Safe Mode off via DirectAdmin. I know there is a .htaccess workaround to change the place where sessions are stored, but I don't want to have to use this with every client.

Thanks in advance for the help.
 
Hello,

Make sure, you've got session.save_path uncomment in your PHP.INI file

Code: 
grep session.save_path /usr/local/lib/php.ini

and

Code: 
grep session.save_path /usr/local/etc/php5/cgi/php.ini

you should see something like this:

Code: 
session.save_path = "/tmp"

If you see the different, then update it and restart apache.
 
I have also session.save_path commented in php.ini, and also has php safe mode disabled. However I don't have any problems like this, and /tmp folder looks like it works with sessions. In a phpinfo page it says

Code: 
session.save_path	no value	no value

Also I think this is the default setup in php.ini created by custombuild.

Because I don't have any problems related to session.save_path, I am not sure if I want to uncomment it in php.ini - should I do that anyway? Strange it is working fine without it uncommented?

Edit: I wrote above code example saying it was from php.ini, I meant to say in a phpinfo page. I have edited that above.
 
Last edited:
mikeyg6754 said:
Great! It worked!
Thanks.
Click to expand...

Good to know that.
You're welcome.

ditto said:
Because I don't have any problems related to session.save_path, I am not sure if I want to uncomment it in php.ini - should I do that anyway? Strange it is working fine without it uncommented?
Click to expand...

I did not study the question in all details, but some installations (maybe depending on OS) need to have session.save_path uncommented. By the way, what OS are you running there?
 
I am running CentOS 6.3 64bit. I have session.save_path commented on all 3 servers, and have had it that way for years. That mean I also did not have any problems with php sessions previous when running on CentOS 5.x. At the moment I am running PHP 5.3.x on all servers.
 
OK, as I posted before, I did not go into deep details, on why this happens. My guess would be if it's not OS dependent, then it might depend on particular PHP scripts, CMS you're running there. Maybe some PHP written software is smart enough to not fail if session_path is not set in PHP.INI, or they redefine its path to something within document root, the other sites might give a warning that "session.save_path" is not set. Anyway if you don't see the error, that's good.

By the way, it was mentioned somewhere that to have session.save_path to point into /tmp is not very secure, as a hacker with a hosting account on your server might hijack a session from a neighbor site, if he manages to get list of files located in /tmp. To prevent this you might want to store sessions in user home directory, e.g.

Code: 
session.save_path=/home/userbob/tmps_sessions

to make it work, you should in virtual host set a directive under line

Code: 
php_admin_flag engine |PHP|

add

Code: 
php_admin_value session.save_path=|HOME|/tmps_sessions

in

/usr/local/directadmin/data/templates/custom/virtual_host2.conf
/usr/local/directadmin/data/templates/custom/virtual_host2_secure.conf
/usr/local/directadmin/data/templates/custom/virtual_host2_secure_sub.conf
/usr/local/directadmin/data/templates/custom/virtual_host2_sub.conf

and update/create

/usr/local/directadmin/scripts/custom/user_create_post.sh

and add lines

Code: 
    DIR=/home/$username
    mkdir "$DIR/tmp_sessions"
    chown $username:$username "$DIR/tmp_sessions"
    chmod 700 "$DIR/tmp_sessions"

By the way, the fact it is insecure to store PHP sessions in /tmp directory might be the reason why it's commented in the default PHP.INI and why some PHP scripts define their own session storage.
 
zEitEr said:
...By the way, it was mentioned somewhere that to have session.save_path to point into /tmp is not very secure, as a hacker with a hosting account on your server might hijack a session from a neighbor site, if he manages to get list of files located in /tmp. To prevent this you might want to store sessions in user home directory, e.g...
Click to expand...

Thanks! But does this concern also apply if I have secured /tmp and /var/tmp ? Because I have done that like this: http://www.securecentos.com/basic-security/secure-tmp/

I was under impression that this should be safe then?
 
It's safe unless you've got PHP scripts running from apache name. If you're running either mod_ruid2, or suPHP (PHP-CGI) you're secured, as session files in /tmp should be owned by user:user and chmoded to 600, e.g.

Code: 
# ls -la /tmp
...
-rw-------  1 user01   user01     0 Aug 10 03:16 sess_fe057b62b4f3769f2b5b0972daf3cd44
-rw-------  1 user08   user08      0 Aug  9 21:26 sess_fe5e94576ad8c5073f5110f9b3413f9d
-rw-------  1 user03   user03    236 Aug 10 16:29 sess_feefb2eda57c424a8d7f4ae9d57eae30
-rw-------  1 user01   user01   536 Aug 10 15:54 sess_ff4cfab43ac306bf4d66cdbf1af282cf
...

In this case user01 can not read session files of user08 and user03.

To get a listing of files you might want to use this code:

PHP: 
<pre>
<?php
if ($handle = opendir('/tmp')) {
    echo "Directory handle: $handle\n";
    echo "Entries:\n";

    /* This is the correct way to loop over the directory. */
    while (false !== ($entry = readdir($handle))) {
        echo "$entry\n";
    }

    /* This is the WRONG way to loop over the directory. */
    while ($entry = readdir($handle)) {
        echo "$entry\n";
    }

    closedir($handle);
}
?>
</pre>

put it somewhere in public_html an open in a browser.
 
Thanks. Yes, I am running suPHP. When I put your php code in public_html for one of the regular users and visit the page in a browser, it then give a list with file names of all files in /tmp (not only the files for this user). Is that ok? When I check the session files in /tmp, they has owner/group set to each user and chmod 600. Of course there is some files wich is owned by apache, but that is files like for example "dos-98.137.72.243" wich are generated by mod_evasive, and some others owned by root user like "clamd.socket" etc. But all users session files is owned by each username and not apache.
 
Yes, it's OK since the /tmp directory is chmoded to 1777, that allows everybody on the server to get a list of the files there. And with suPHP you're secured regarding session files.
 
Thank you for information and clarification. In the next days I will consider if I should uncomment session.save_path in php.ini - the way things looks to me right now, I think I should do that, but I will think about it and investigate som more ...
 
You must log in or register to reply here.
Back
Top