In version 5.2.0 of WPCD we’ve changed a few things that require some manual updates to servers and sites created with prior versions of version 5.x. In particular:
Unfortunately you need to make these changes manually using the command line.
Note: If you’re upgrading from 4.16 or 4.17 and have never installed 5.x, you should follow the 5.x upgrade instructions instead. Nothing in this 5.2 upgrade document will apply in this case.
We have updated our backup scripts. If you’re using our backups, you should disable and re-enable them.
Just a reminder that there are two places you can apply backups:
Please make sure you deactivate and reactivate in the places you are using them.
If you’re using OpenLiteSpeed servers and sites created with versions earlier than WPCD 5.2, then you will want to apply the following changes to each OLS server or site on the server. (No changes are required for NGINX servers.)
Please note that all the following needs to be done under your root/sudo login. This way all new files and folders created will be owned by the root user.
Open the PHP 8.1 global ini file using your favorite editor – the command for the NANO editor is:
sudo nano /usr/local/lsws/lsphp81/etc/php/8.1/litespeed/php.ini
Search for disable_functions
Replace that entire line with:
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
Repeat for each of the following files:
If you’re on Ubuntu 20.04, also repeat for the following files:
Open your vhconf.conf file for one of your sites on your OLS server using your favorite editor – the command for the NANO editor is:
Search for the keyword PHP_INI_SCAN_DIR.
Replace everything on the line where that was found with this:
Repeat for all your OLS sites.
Run the following command, replacing YOURDOMAIN.COM with your real domain:
Then run the following to create the php.ini file and add contents:
This file should contain the following line:
disable_functions = dl, exec, fpassthru, getmypid, getmyuid, highlight_file, link, opcache_get_configuration, passthru, pcntl_exec, pcntl_get_last_error, pcntl_setpriority, pcntl_strerror, pcntl_wifcontinued, phpinfo, popen, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, source, system, virtual
Repeat for all your OLS sites
Once all the changes in sections 1 – 3 above have been made, you need to restart your server so that the changes can take effect:
(And an example of why OLS is still categorized as beta in 5.x).
If you’re really curious, you might be wondering about why the OLS changes described above are necessary.
In short, the phpIniOverride sections of a site’s vhconf.conf file did not respect ALL php directives.
Each site is given its own vhconf.conf file that contains everything needed to configure a site for use in OpenLiteSpeed. Inside this file are multiple sections where we can specify php.ini directives. In theory, directives in these phpIniOverride sections should apply to the site.
Unfortunately, this is not always the case and many important security related directives were just being ignored by OLS and its PHP handler.
After many frustrating communication rounds with OLS reps, it became obvious that they did not see this as an issue (or decided to hide it). Regardless, we had to adopt a new approach.
The new approach is to place the directives in a php.ini file associated with the site. But we need to do this in a way that a regular sFTP user cannot edit (otherwise they can simply remove the security directives).
So, a site’s php.ini file is now placed in a new folder /var/www/YOURDOMAIN.COM/.phpini and is owned by root. Only root/sudo users can change this file.