hooks permission issue

[Jouwhost]

Version information

Latest versions.

Steps to replicate

1. Install Directadmin custombuild 2 on any centos like OS
2. Create domain, remove domain. anything that fires off the hooks.

Example:
Domain_create_post.sh is triggered but cannot succesfully run.
We need to add a 'hack' to make this work.

This only works when we add this into the file.
php -d disable_functions="" after the echo

Actual result

Script does not run. Not enough permission to do so because of disabled function.
It does not seem to care what functions i enable or disable on the server for hosted PHP versions.
(There is also no information given what it needs and what server PHP version is used).

Expected result

Plugin should work without this.
We run more plugins and never seen this before. There simply should be enough permissions present to make this work.

Other notes

I don't know how others do this or are able to run this without this hack. It has been like this for us since i can remember. I created ticket multiple times for this but no real solution was given. Hoping with some plugin changes this would not be needed anymore since it's just unsafe.

[LaurentiuTeodorescu]

I was unable to replicate this. It would be great if you can put the add-on in debug mode and provide some logs - documentation.

[wouta]

The only way to get this plugin working for me is disable exec and shell_exec in the php.ini. Maybe you have to implent in the plugin your own php.ini so this will be fixed.

When i add a domain i get the follow error in DA:

PHP Notice: Undefined variable: output in /usr/local/directadmin/plugins/latest/lib/Configuration.php on line 55
PHP Notice: Undefined variable: return in /usr/local/directadmin/plugins/latest/lib/Configuration.php on line 55
PHP Warning: exec() has been disabled for security reasons in /usr/local/directadmin/plugins/latest/lib/Configuration.php on line 55
PHP Notice: Undefined variable: output in /usr/local/directadmin/plugins/latest/lib/Configuration.php on line 57
PHP Warning: implode(): Invalid arguments passed in /usr/local/directadmin/plugins/latest/lib/Configuration.php on line 57

Domain Created Successfully

The log files for admin and root will be empty if you use the plugin in debug mode.

It would be desirable if the plugin is built properly as #23 indicates

[LaurentiuTeodorescu]

I was able to reproduce this by doing disabling exec & shell_exec functions.

Please note that exec & shell_exec are required for addon to work as expected, so please edit custom/php_disable_functions file and remove these (steps below).

$ cd /usr/local/directadmin/custombuild
$ nano custom/php_disable_functions # remove `exec` and `shell_exec`
$ ./build secure_php

• After I did this, the addon works fine.

---

If there are still issues please check the Support tab of the addon, run a diagnostics, and if you are a SpamExperts customer, please reach out to your support contact.
Also, please provide this if the issue is still with disabled functions:

cd /usr/local/directadmin/custombuild
php -i | grep ^disable_functions

[ju5t]

@LaurentiuTeodorescu why did you remove my comment without feedback?

The offered suggestion is unsafe and not recommended. I get that the plugin needs it, but it would be better to find an alternative. There are good reasons to have exec and shell_exec in a list of disabled functions.

[tonyandrewmeyer]

As the owner of this repository, we have the right to remove any comments that we deem use inappropriate language.

You are welcome to fork this project, or to submit pull requests. We are not working on this request at this time. If you are an N-able partner, you are welcome to submit a feature request through your partner support manager or support.

[ju5t]

I can't remember what I said at the time but I don't think I used inappropriate language.

If you do not take feature requests (or in this case, a security issue), I would suggest you close down the issue page and move them to discussions. This makes it more obvious that you are not taking requests through Github.

I am hesitant to reserve resources to PR a full rewrite of this plugin. Your reply is the first in a while and apart some basic PR's, most of the core issues are still there (if not all).

This needs coordination from N-able, because:

1. There is a lot to do. Also see Rebuild the entire plugin #23. Going through the code I immediately see more points of attention.
2. You keep track of issues in a separate system, so OSS contributors wouldn't know what's being fixed or not.

I would do this using Github's issues. Start from scratch in a new branch. Follow best practices (like @wouta mentioned).

If you keep issues away from OSS developers, PR's won't work for what is needed (personal opinion).

[ju5t]

@tonyandrewmeyer is this plugin still on the radar of N-able?

[tonyandrewmeyer]

We are continuing to maintain compatibility of the add-in with new versions of DirectAdmin. At this time, rewriting the add-in is not on our roadmap.

If the add-in is critical to you, then please reach our to your account manager so that they are aware of this, and that can be factored into our planning.

[ju5t]

@tonyandrewmeyer hm, this doesn't sound positive. Does this mean you will not look into security issues like the one described here? Or the fact that the plugin only supports EOL PHP versions?

We're using SpamExperts and DirectAdmin. So yea, this is pretty critical to us :)

Contacting our account manager doesn't seem to help. We tried that before.