Maybe the Soho people have something in the works to fix this. They seem to be very quiet about it; offering no hope for an impending solution.

When I try to install ANY plug-in, I get the following error message:

Error: Could not successfully extract zip file (EDIT_LIVE.zip).
Possible causes/fixes...
1. shell_exec() function disabled on your server - Chances are if this is the cause then you'll probably have problems with the Software Updates feature as well. If that's the case, you may want to ask your web hosting company about whether "the php function called shell exec is disabled" on your server.
2. Damaged archive file.................

If someone would come up with a solution that would not require the web host to compromise server security (by enabling shell_exec()), it would be worth some money. Seems to be plenty of Soho users out there who would pay for plug-ins if they could actually install them.

Uploading and installing new templates doesn't seem to impose the same problems. Someone commented that Soholaunch does a directory search for new templates, which it apparently does not do for plug-ins.

I would think that some of these people spending their valuable time creating these plug-ins would be making some noise about this large of a problem. ???

I don't mean to be hateful or obnoxious.
Just some thoughts,
Thanks... John

John,

Sorry about the trouble. I have loaded a few plugins within the last couple of days and haven't gotten the error you are referring to. Not sure it is a problem for everyone.

There is a website "Soholaunch Bugz (http://bugz.soholaunch.com/login_page.php?return=%2Fmain_page.php)" you might try bringing it up there. They are pretty quite right now at that site as well. I am hoping that it is because they are working on a slew of updates for 2008...who knows..

Hope everything works out for you. Unfortunately I don't know of solutions or suggestions, only that I haven't experienced any plugin errors.

Thanks for the input, and, I agree, that it's not a problem for everyone. However, apparently, the problem is significant enough to offer a diagnostic. (See below.)

Part of the silence may be due to the strong possibility that many have given up any hope that Soho is interested in finding a solution.
Thanks... John

*****************
Go to: Webmaster / Software Updates / [?] Technical diagnostic info (for Geeks)
Technical diagnostic info
This information is meant to help tech support diagnose any problems you might be having with Software Updates.

allow_url_fopen = enabled
shell_exec = enabled
php_suexec = disabled

chmod to 777 after updating?
For plugin developers on non-phpsuexec servers who constantly have to go in and re-chmod to 777 after running Software Updates so they can modify source files via FTP again.
No Yes

Suppress 'shell_exec() disabled' error message?
Allows update routine to proceed past the extract step even though the extract command didn't return any output.
No Yes

1. shell_exec() function disabled on your server - Chances are if this is the cause then you'll probably have problems with the Software Updates feature as well. If that's the case, you may want to ask your web hosting company about whether "the php function called shell exec is disabled" on your server.


shell_exec = enabled


G'day John,
According to your two posts your host already has shell_exec running. From memory php_suexec isn't critical. We don't have it running on our servers and we have Soho sites.

Cheers,

Mike

Unfortunately, info.php contradicts the diagnostics in Soho. It lists shell_exec as a disabled function. I am curious why the two disagree.
Thanks... John
http://www.carterchristianacademy.com/info.php

If someone would come up with a solution that would not require the web host to compromise server security (by enabling shell_exec()), it would be worth some money. Seems to be plenty of Soho users out there who would pay for plug-ins if they could actually install them.

Uploading and installing new templates doesn't seem to impose the same problems. Someone commented that Soholaunch does a directory search for new templates, which it apparently does not do for plug-ins.


Well, the issue is that not all hosts choose to lock down PHP within an inch of its life to disable aspects that an awful lot of software programs need to work. Some hosts do, and that is entirely up to them - but many hosts do not and take extra precautions in other aspects of security so that their clients have the widest variety of options - many photo galleries can't function without shell_exec and exec on but you can disable passthru and system in disable_functions to shore it up more, etc..

Yes, the easiest way is to take away functionality - but it's not the only way, and there are many hosts that allow it that have not gotten installs compromised, and don't, frankly deserve to be classified as insecure.

A server's PHP security is more than it's config file.

Thanks. I do appreciate your post. You gave me an education on hosting security and some insight on Soho's position on the shell_exec subject. Now, could I trouble you for a bit more information?

From the information at the info.php link, can you tell me whether shell_exec is the only function that needs to be enabled for plug-ins to work? What about php_suexec?
http://www.carterchristianacademy.com/info.php

Are these function enabled/disabled on a server-wide basis or can it be done on an account by account basis? I have a reseller account.

Also, I'm wondering if a sticky post which addresses this shell_exec and security issue thoroughly would be a good idea?
Thanks... John

PHPSuExec is one of those security things that I was talking about that you can install. It does, IMO, make things easier for the client because there is no chance of "nobody" owned files.

Ok, let me back up.

PHPsuexec is an optional Apache module that executes PHP scripts under the owners username - previous to this (and suexec for cgi scripts) many files had to be owned by apache itself, or nobody - that meant that when a site was compromised by something like shell_exec, the permissions on the file doing the compromising had a much greater ability to do wider damage to the server, and compromises were much harder to track down.

In addition you, as the user, would more than likely not have the ability to deal with the files in any manner as you would not own them so you could not change them. It also negated the need for 777 permissions (anyone, anywhere can edit a file with 777 permissions so if your neighbor next to you knows where your file is and wants to edit it, there is nothing stopping him), and allowed php to run with a max of 755 permissions (owner can do anything to the file, group and world have limited manipulative ability).

Personally, I won't run a server without it because it has security benefits, and it makes it much easier for the client to manage their own site - as well as my life easier in tracking down runaway scripts or spammers. Because the conversion process requires changes to client's sites, however, some hosts opt not to use it.

It is not required in any way for any program to run - it does require differences in installation, however, as PHP files on a non-phpsuexec server that are required to have 777 permissions simply will not run with PHPSuexec at that permission level - they have to be brought down to 755 max or they will simply error out.

In conversions, programs already running may have files or directories owned by "nobody", which would necessitate having those ownerships changed to the user in order to run (which, as already pointed out, would have to be done by the host).

So, you can run anything without phpsuexec (and it is, in fact, the default way to run a php script), and the decision to use it or not is made for you by your host. You simply have to be aware of what set up the host is running, and set permissions accordingly (which is why soholaunch tells you whether it is running or not).

From the information at the info.php link, can you tell me whether shell_exec is the only function that needs to be enabled for plug-ins to work? What about php_suexec?
http://www.carterchristianacademy.com/info.php

Are these function enabled/disabled on a server-wide basis or can it be done on an account by account basis? I have a reseller account.

Also, I'm wondering if a sticky post which addresses this shell_exec and security issue thoroughly would be a good idea?
Thanks... John

Oops, I got to wordy and missed this:

1) Likely so, as it needs shell_exec to install.
2) These things are server-wide, but may be able to be turned on for your account by installing your own php.ini file - it will depend on your host.
3) shell_exec and phpsuexec are some of the most common topics here. :) I'm not sure a sticky could cover every issue, though.

IMO, the best response is to enforce proper scripting, and proper administration. IMO, hosts shouldn't disable functions that are useful just because they don't know how, or don't want, to look for problems.

There are, however, hosts that take the opposite stance and disable as much as they can to avoid problems - and again, that's absolutely their right to do. If you get on one of those, it's really up to the host to provide you a workaround, or to aid you in installing it because it does, in effect, disable some of what you want to do on your account.

To me, disabling php functions will cost upset and unhappy clients and poor feedback, so I take the opposite stance - I run php with proper patches (protection, mailheaders) in a way that will not disable most (most) scripts. While this won't "totally secure" my server, there is no server that is 100% secure and exploits happen because that's just part of working with computers and PHP. You give your best effort to balance between security and functionality - or you nuke functionality for security.

Thanks for taking your time to help educate me on these security issues.
I'll be contacting my web host to see about getting this fixed.
Thanks again... John

John,

Were you unable to login to ftp and do any uploading? That's a real problem since you should have ftp access to any site file and be able to add/edit/delete any files on your site through FTP. If you don't have this ability, your host should at least make this possible. If you do have this ability, please PM me with your FTP info and sohoadmin login and I may be able to login and make some adjustments to make it possible for you to install plugins.

Unlike templates (you just need to get all the files uploaded to the server), plug-in install is far more complex. Getting files uploaded does not do anything unless the rest of the plug-in install process is performed.

John,

I have found the solution to this problem. I have edited two files in the plugin manager set and have found a sort of work around.

You can download the two files in one zip here: http://www.emergingdesigns.com/plugin_replacements.zip

Extract these two files to your computer. Log in to your FTP account and go to sohoadmin/program/webmaster/plugin_manager. Upload the two files extracted from the zip file.

Then, go to your sohoadmin and Manage Plugins. Now, follow the directions there, leaving the top box (where you select the zip file) blank.