WordPress BulletProof Security Plugin

LawsHosting

LawsHosting

Verified User
Joined
Sep 13, 2008
Messages
2,372
Location
London UK
Details of the plug-in

Hello,

This is a random question.

Has anyone managed to get this plugin to work when using mod_php? A client tried to install it but had errors galore (chmod(), file_get_contents()) even with 777 permissions on public_html (I know, bad idea - but was testing). public_html is owned as user:user.

No idea if safe_mode/open_base_dir is the reason.

Server has mod_security installed.

Thanks
 
Last edited:
I took the liberty of contacting the authors, this is what they said:
Yes well first off BPS works has worked in every single hosting environment
even including IIS, but with that said this is the first time I have ever
seen the Server API as: Apache 2.0 Handler
Typically most hosts nowadays have CGI or CGI/FastCGI here for Linux. So yes
this is most likely the problem. And now I completely understand your
question. My first thought was that you were saying that the server api was
apache, but I thought that no one still uses this since the apache default
is much less secure.

Ok so the line of code that is generating the error is: chmod($new1, 0644);
It is a radio button Form that is copying, renaming, setting the file
permissions for an htaccess file that is being copied to the root folder.

The error indicates a permissions issue, but you have ruled that out so yes
BPS may not work in the default Apache state. It has never been tested in
this environment before so your guess is as good as mine. ;)

I guess you could just have the user comment out any chmod lines of code in
BPS, but my guess is that other errors will also occur as well in this
environment and BPS may not be usable.
Click to expand...
 
Only the owner and superuser can do chmod on a file. Since you're using mod_php all php scripts are running under apache name, and your files might belong to your customer user.
 
If I install mod_ruid2 (following the tutorial), will that affect anything mod_security wise or even block the usage of php values (eg. php_flag, php_value, etc) in htaccesses?

eg. AllowOveride

Edit:
Also, if some files are owned by apache, will the sites/etc still work until I change them, or do I need to change them quickly to avoid issues with sites?
 
Last edited:
All benefits of mod_php will be still yours, the only difference is that you'll get all PHP scripts working with your users` names.

Of course all files should be chown`ed.
 
Well that was stupendously easy, took only 5minutes to do. There is me thinking it'll stuff up! (my famous last words!)

Good to see top reporting usernames for httpd!

Be ironic if the plug-in still fails with this configuration (lol!)
 
Last edited:
Anyone know what causes this in the main apache error log:

ModSecurity: Audit log: Failed to lock global mutex: Permission denied [hostname "localhost"] [uri "/index.php"] [unique_id "TmQd6ryl0CsAAFC1IG8AAAAB"]
ModSecurity: Audit log: Failed to unlock global mutex: Permission denied [hostname "localhost"] [uri "/index.php"] [unique_id "TmQd6ryl0CsAAFC1IG8AAAAB"]
Click to expand...

Think I fixed the above

Edit:

I also had to do :
no_local_from_check
untrusted_set_sender = *
Click to expand...
for exim, which is pretty odd considering you can use php_value's still <shrug>


Also, I changed ips_virtual_host.conf, but it doesn't update when I rewrite the configs?
 
Last edited:
Folders are changed to 711, however, most scripts (like the said plug-in) recommend 755 - this is a bit confusing to the client.
 
How you fixed the issue?

Hi, how you fixed the issue?


Peter Laws said:
Anyone know what causes this in the main apache error log:



Think I fixed the above

Edit:

I also had to do :

for exim, which is pretty odd considering you can use php_value's still <shrug>


Also, I changed ips_virtual_host.conf, but it doesn't update when I rewrite the configs?
Click to expand...
 
You must log in or register to reply here.
Back
Top