Posted 06 January 2012 - 03:15 PM
I've noticed that, to work properly, BackupBuddy requires the PHP exec function. However, many hosts (including us) disable this function for security reasons. Experts generally say that the exec function is a very dangerous thing that opens a huge security hole for hackers.
Is there any way that BackupBuddy can work to its fullest extent without requiring this dangerous function?
Posted 06 January 2012 - 05:12 PM
No, not its fullest capabilities. PHP's zipping functionality is extremely limited so if exec() is unavailable then we must use a PHP-script-based implementation, PCLZip. Which BackupBuddy will use if it must, but this is extremely inefficient (read SLOW and memory-hogging). Command line zip is magnitudes more efficient, fast, and requires less resources.
We offer an 'alternate zip' method that allows most features to function when using PCLZip but it significantly reduces the size of backups that can be created within a given time limit such as the maximum PHP runtime that is often set to 30 seconds. If you are unable to use exec() you can use this as an alternative but it will be far less functional. This is an unfortunate technical issue with PHP.
While exec() is potentially dangerous it is indeed possible to configure server security to permit its safe operation. Many hosts offer exec() support such as Hostgator. It is indeed a more sensitive issue than most functions though as any security holes in permissions and such are then more easily accessible.
We do our best to make BackupBuddy perform the best it can without exec() but there are severe technical limitations of PHP.
Posted 06 January 2012 - 05:53 PM
Can you point us to any tutorials or other documentation on setting it up this way?
Posted 09 January 2012 - 12:16 PM
In general it is that the users just need to be isolated so that they cannot run things they don't have permission to use or access. Though how to exactly set it up is beyond the scope of our support.
Posted 20 January 2012 - 11:25 AM
I'd like to reiterate what Mark asked for.
How will a user know if the PHP exex function is disabled and also how do we make BackupBuddy to use the slower alternative.
I have wordpress sites on GoDaddy and 2 other small hosting companies and concerned about this issue.
Posted 20 January 2012 - 03:14 PM
There are three ways you can check if the server has exec.
1. Can ask host, they should be able to tell you if it has PHP's exec() function and permission to run linux's zip command. And at the same time can then ask them to enable it if they say the server doesn't
2. The free plugin ServerBuddy can show you if you have exec as an available zip method.
3. You can run this zip tester on the site: http://ithemes.com/codex/page/File:Zip_test.zip
You don't have to tell it to use the slower mode (compatibility mode) so don't worry about that, if BackupBuddy finds it can't run with exec like it would prefer it automatically tries to switch down to the slower mode.
Posted 21 January 2012 - 07:45 AM
Posted 21 January 2012 - 11:10 AM
If exec is set up correctly then it is perfectly safe, but yes; there is an option to force BackupBuddy to use the slower compatibility mode.
Posted 24 January 2012 - 08:29 AM
I really want to buy your full package but almost every client grills me about security so I have to be 100% sure its secure for clients on my server!
Posted 24 January 2012 - 02:40 PM
The host should know which each part of it means and that it being set up right with users isolated so that they cannot run things they don't have permissions to use or access.