How can I protect php.ini with suPHP?

[dansgalaxy]

Hey,

Recently re-setup a server and want to give it a security overhaul. Set it up with SuPHP and would like to find a way to properly secure the ability for local php.ini files.

I was hoping they would work like .htaccess where each part overrides the global one, unfortunately that doesn't seem to be the case.

One plan of action I have is to have the php.ini files set to readonly and possibly owned by root so they can be used but not edited by the user, so they cant stick what they like in it!

But at the moment it appears i would have to duplicate the global php.ini file into every user directory and set it with readonly, which is darn near impossible and i would then need to find a way to have the PHP.ini automatically copied into every new folder and a whole load of other hassels.

Is there a way around this problem? Is there a way I can disallow users creating or editing php.ini files full stop? And then if/when they need a custom setting I (root) has to do it?

Thanks,
Dan

[jdlightsey]

You have a few different options with mod_suphp...

1) You can allow the users to set up their own php.ini files as they see fit. This is the default configuration.

2) You can force all users to use a single php.ini file. This is done by setting the phprc_paths in /opt/suphp/etc/suphp.conf. If you set this it will override any other settings in .htaccess files or httpd.conf.

3) You can control which php.ini is used for each account using suPHP_ConfigPath. This directive can be used in httpd.conf and in .htaccess files, so if you want to lock a particular account to a certain php.ini you'd need to set suPHP_ConfigPath for that account in an include file and remove Options from the AllowOverride list for that VirtualHost.

[dansgalaxy]

Would it be possible to set it up so all accounts by default have to use the gloabl PHP.ini (in /usr/local/lib/php.ini)

and then I can manually allow certain accounts to use a local one?

[dansgalaxy]

Can it be done?

Ideally would like a way to by default lock users to global php.ini and be able to manually allow certain accounts to use other php.ini? :s

[dansgalaxy]

OK I have found a way to disable suphp_ConfigPath in htaccess, however I have no clue how to implement this in my current installation.

spareknet.org

This says

8. Modify the mod_suphp.c file
This is the last file modification. In this modification, I am going to disable the suPHP_ConfigPath from being used in users .htaccess files. If users want to bypass a php.ini directive, I want to know about it. With this disabled, if a particular user needs a PHP directive changed, they will have to have the server administrator customize a php.ini for them and then reference this in the httpd.conf file. This is explained in more detailed near the end of this guide.

Change:

suphp-0.6.1/src/apache/mod_suphp.c (Line 339)
{”suPHP_ConfigPath”, suphp_handle_cmd_config, NULL, OR_OPTIONS, TAKE1,
To:

{”suPHP_ConfigPath”, suphp_handle_cmd_config, NULL, RSRC_CONF|ACCESS_CONF, TAKE1,

How can i do this on my current installation?

[dansgalaxy]

*BUMP*

Anyone? Please...

[sparek-3]

All of the information in that post on the website is greatly outdated. I think I started that before cPanel offered suPHP as an option.

I believe you can get around this by using ordering preference in Apache.

In /usr/local/apache/conf/includes/pre_main_global.conf add the lines:

Code:

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /path/to/php.ini
</Location>
</IfModule>

Note that suPHP_ConfigPath should be just the directory location of the php.ini file. It should not be the full path to the php.ini file, just the full path to it's directory.

The /usr/local/apache/conf/includes/pre_main_global.conf file may not exist or may be empty. That is fine, this file is already included in the Apache set up.

Restart Apache for the changes to go into affect.

/scripts/restartsrv_httpd

The <Location> will override any suPHP_ConfigPath in the user's .htaccess file.

Then if a user needs a customized php.ini follow the instructions at:

http://forums.cpanel.net/361496-post10.html

That post deals mainly with enabling register_globals for an account, but you can change any values in the customized php.ini file for that account.

[dansgalaxy]

All of the information in that post on the website is greatly outdated. I think I started that before cPanel offered suPHP as an option.

I believe you can get around this by using ordering preference in Apache.

In /usr/local/apache/conf/includes/pre_main_global.conf add the lines:

Code:

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /path/to/php.ini
</Location>
</IfModule>

Note that suPHP_ConfigPath should be just the directory location of the php.ini file. It should not be the full path to the php.ini file, just the full path to it's directory.

The /usr/local/apache/conf/includes/pre_main_global.conf file may not exist or may be empty. That is fine, this file is already included in the Apache set up.

Restart Apache for the changes to go into affect.

/scripts/restartsrv_httpd

The <Location> will override any suPHP_ConfigPath in the user's .htaccess file.

Then if a user needs a customized php.ini follow the instructions at:

http://forums.cpanel.net/361496-post10.html

That post deals mainly with enabling register_globals for an account, but you can change any values in the customized php.ini file for that account.

Right ok, so could i not just have

Code:

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /path/to/php.ini
</Location>
</IfModule>

For each VirtualHost entry (and add it to the vhost template so it auto does it for new ones) and then to give someone a custom one all i do is manually set the path in config & restart apache?

[sparek-3]

Well, cPanel changed a lot of things with Apache2. It doesn't really allow for configuration editing. You can't directly edit the httpd.conf file.

The include setup is the preferred method of doing this because it insures that your changes remain after certain Apache cleanup process.

If you directly edit a virtualhost entry in the httpd.conf then when the httpd.conf file is rebuilt, I'm not sure if those changes would remain. The include statements would, and the cleanup processes do not touch the included files.

In regards to the suPHP_ConfigPath line, make sure this is just the full path to the directory that contains the php.ini file and not the full path of the php.ini file.

[dansgalaxy]

Well, cPanel changed a lot of things with Apache2. It doesn't really allow for configuration editing. You can't directly edit the httpd.conf file.

The include setup is the preferred method of doing this because it insures that your changes remain after certain Apache cleanup process.

If you directly edit a virtualhost entry in the httpd.conf then when the httpd.conf file is rebuilt, I'm not sure if those changes would remain. The include statements would, and the cleanup processes do not touch the included files.

In regards to the suPHP_ConfigPath line, make sure this is just the full path to the directory that contains the php.ini file and not the full path of the php.ini file.

Just tested it and it works.

Yes I know about the issue where its going to wipe out my customisations, its something i really need to work on and figure out how i will do them all without directly touching the httpd.conf.

I wonder if it might be possible to get clever and create some kind of cPanel plugin which controls custom php.ini, so it is included in feature manager and if i enable it for a user they then have a plugin which allows them to edit php.ini stored somewhere like /etc/phpconf/user/php.ini :/ but would need to find a way to have cpanel automatically create the directory and dump a copy of my global php.ini (the default one) into the custom phpconf thing :/

And then could just have <IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /etc/phpconf/USERNAME/
</Location>
</IfModule>

in the default vhost templates or something :/

[sparek-3]

How many of your users are requiring custom php.ini files?

If all of your users are needing a setting adjusted in the php.ini file then it might be a good idea to consider changing this variable globally in the global php.ini file. It depends on what the setting is, you would just have to weigh the pros and cons to this. In my experience, very few users need custom php.ini files on a server.

[dansgalaxy]

How many of your users are requiring custom php.ini files?

If all of your users are needing a setting adjusted in the php.ini file then it might be a good idea to consider changing this variable globally in the global php.ini file. It depends on what the setting is, you would just have to weigh the pros and cons to this. In my experience, very few users need custom php.ini files on a server.

Well ideally I would be looking to have the global php.ini as very strict security wise, and if users (inc quite a few of my own sites/accounts!) need functions like shell_exec etc or need higher exec time for a script etc i can then allow it on a as needed basis.

Basically want to keep reins tight so i can keep an eye on who has the leeway

[sharmaine001]

I am also looking for an automated way to do this.

Reason being, I want that all users when their cpanel account is created, will automatically create a directory /home/user/tmp and custom php.ini file in /etc/home/tmp/user then put session.save_path = /home/user/tmp directory (this would mean override must be on but since php.ini is outside of their directory they dont have access).

Of course the permission of /home/user/tmp directory must be writable by this user in suphp + suexec so they can dump the php session files there

Any ideas how to do this?

[cPanelDon]

I've moved a few of the latest replies into a new thread to help differentiate the two topics.

New Thread: Help with custom php.ini - cPanel Forums

[hostvn]

If you want to force all users using global php.ini . With suPHP, you can edit:

/opt/suphp/etc/suphp.conf

and uncommenting these lines:
[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/