Page 1 of 4 123 ... LastLast
Results 1 to 15 of 54

Thread: How can I protect php.ini with suPHP?

  1. #1
    Registered Member dansgalaxy's Avatar
    Join Date
    Jan 2007
    Location
    Reading, UK
    Posts
    92
    cPanel/WHM Access Level

    Root Administrator

    Question How can I protect php.ini with suPHP?

    Hey,

    Recently re-setup a server and want to give it a security overhaul. Set it up with SuPHP and would like to find a way to properly secure the ability for local php.ini files.

    I was hoping they would work like .htaccess where each part overrides the global one, unfortunately that doesn't seem to be the case.

    One plan of action I have is to have the php.ini files set to readonly and possibly owned by root so they can be used but not edited by the user, so they cant stick what they like in it!

    But at the moment it appears i would have to duplicate the global php.ini file into every user directory and set it with readonly, which is darn near impossible and i would then need to find a way to have the PHP.ini automatically copied into every new folder and a whole load of other hassels.

    Is there a way around this problem? Is there a way I can disallow users creating or editing php.ini files full stop? And then if/when they need a custom setting I (root) has to do it?

    Thanks,
    Dan

  2. #2
    cPanel Staff
    Join Date
    Mar 2007
    Posts
    113

    Default

    You have a few different options with mod_suphp...

    1) You can allow the users to set up their own php.ini files as they see fit. This is the default configuration.

    2) You can force all users to use a single php.ini file. This is done by setting the phprc_paths in /opt/suphp/etc/suphp.conf. If you set this it will override any other settings in .htaccess files or httpd.conf.

    3) You can control which php.ini is used for each account using suPHP_ConfigPath. This directive can be used in httpd.conf and in .htaccess files, so if you want to lock a particular account to a certain php.ini you'd need to set suPHP_ConfigPath for that account in an include file and remove Options from the AllowOverride list for that VirtualHost.

  3. #3
    Registered Member dansgalaxy's Avatar
    Join Date
    Jan 2007
    Location
    Reading, UK
    Posts
    92
    cPanel/WHM Access Level

    Root Administrator

    Default

    Would it be possible to set it up so all accounts by default have to use the gloabl PHP.ini (in /usr/local/lib/php.ini)

    and then I can manually allow certain accounts to use a local one?

  4. #4
    Registered Member dansgalaxy's Avatar
    Join Date
    Jan 2007
    Location
    Reading, UK
    Posts
    92
    cPanel/WHM Access Level

    Root Administrator

    Default

    Can it be done?

    Ideally would like a way to by default lock users to global php.ini and be able to manually allow certain accounts to use other php.ini? :s

  5. #5
    Registered Member dansgalaxy's Avatar
    Join Date
    Jan 2007
    Location
    Reading, UK
    Posts
    92
    cPanel/WHM Access Level

    Root Administrator

    Default

    OK I have found a way to disable suphp_ConfigPath in htaccess, however I have no clue how to implement this in my current installation.

    spareknet.org

    This says
    8. Modify the mod_suphp.c file
    This is the last file modification. In this modification, I am going to disable the suPHP_ConfigPath from being used in users .htaccess files. If users want to bypass a php.ini directive, I want to know about it. With this disabled, if a particular user needs a PHP directive changed, they will have to have the server administrator customize a php.ini for them and then reference this in the httpd.conf file. This is explained in more detailed near the end of this guide.

    Change:

    suphp-0.6.1/src/apache/mod_suphp.c (Line 339)
    {”suPHP_ConfigPath”, suphp_handle_cmd_config, NULL, OR_OPTIONS, TAKE1,
    To:

    {”suPHP_ConfigPath”, suphp_handle_cmd_config, NULL, RSRC_CONF|ACCESS_CONF, TAKE1,
    How can i do this on my current installation?

  6. #6
    Registered Member dansgalaxy's Avatar
    Join Date
    Jan 2007
    Location
    Reading, UK
    Posts
    92
    cPanel/WHM Access Level

    Root Administrator

    Default

    *BUMP*

    Anyone? Please...

  7. #7
    Registered Member
    Join Date
    Aug 2002
    Posts
    1,185

    Default

    All of the information in that post on the website is greatly outdated. I think I started that before cPanel offered suPHP as an option.

    I believe you can get around this by using ordering preference in Apache.

    In /usr/local/apache/conf/includes/pre_main_global.conf add the lines:

    Code:
    <IfModule mod_suphp.c>
    <Location />
    suPHP_ConfigPath /path/to/php.ini
    </Location>
    </IfModule>
    Note that suPHP_ConfigPath should be just the directory location of the php.ini file. It should not be the full path to the php.ini file, just the full path to it's directory.

    The /usr/local/apache/conf/includes/pre_main_global.conf file may not exist or may be empty. That is fine, this file is already included in the Apache set up.

    Restart Apache for the changes to go into affect.

    /scripts/restartsrv_httpd

    The <Location> will override any suPHP_ConfigPath in the user's .htaccess file.

    Then if a user needs a customized php.ini follow the instructions at:

    http://forums.cpanel.net/361496-post10.html

    That post deals mainly with enabling register_globals for an account, but you can change any values in the customized php.ini file for that account.

  8. #8
    Registered Member dansgalaxy's Avatar
    Join Date
    Jan 2007
    Location
    Reading, UK
    Posts
    92
    cPanel/WHM Access Level

    Root Administrator

    Default

    Quote Originally Posted by sparek-3 View Post
    All of the information in that post on the website is greatly outdated. I think I started that before cPanel offered suPHP as an option.

    I believe you can get around this by using ordering preference in Apache.

    In /usr/local/apache/conf/includes/pre_main_global.conf add the lines:

    Code:
    <IfModule mod_suphp.c>
    <Location />
    suPHP_ConfigPath /path/to/php.ini
    </Location>
    </IfModule>
    Note that suPHP_ConfigPath should be just the directory location of the php.ini file. It should not be the full path to the php.ini file, just the full path to it's directory.

    The /usr/local/apache/conf/includes/pre_main_global.conf file may not exist or may be empty. That is fine, this file is already included in the Apache set up.

    Restart Apache for the changes to go into affect.

    /scripts/restartsrv_httpd

    The <Location> will override any suPHP_ConfigPath in the user's .htaccess file.

    Then if a user needs a customized php.ini follow the instructions at:

    http://forums.cpanel.net/361496-post10.html

    That post deals mainly with enabling register_globals for an account, but you can change any values in the customized php.ini file for that account.
    Right ok, so could i not just have
    Code:
    <IfModule mod_suphp.c>
    <Location />
    suPHP_ConfigPath /path/to/php.ini
    </Location>
    </IfModule>
    For each VirtualHost entry (and add it to the vhost template so it auto does it for new ones) and then to give someone a custom one all i do is manually set the path in config & restart apache?

  9. #9
    Registered Member
    Join Date
    Aug 2002
    Posts
    1,185

    Default

    Well, cPanel changed a lot of things with Apache2. It doesn't really allow for configuration editing. You can't directly edit the httpd.conf file.

    The include setup is the preferred method of doing this because it insures that your changes remain after certain Apache cleanup process.

    If you directly edit a virtualhost entry in the httpd.conf then when the httpd.conf file is rebuilt, I'm not sure if those changes would remain. The include statements would, and the cleanup processes do not touch the included files.

    In regards to the suPHP_ConfigPath line, make sure this is just the full path to the directory that contains the php.ini file and not the full path of the php.ini file.

  10. #10
    Registered Member dansgalaxy's Avatar
    Join Date
    Jan 2007
    Location
    Reading, UK
    Posts
    92
    cPanel/WHM Access Level

    Root Administrator

    Default

    Quote Originally Posted by sparek-3 View Post
    Well, cPanel changed a lot of things with Apache2. It doesn't really allow for configuration editing. You can't directly edit the httpd.conf file.

    The include setup is the preferred method of doing this because it insures that your changes remain after certain Apache cleanup process.

    If you directly edit a virtualhost entry in the httpd.conf then when the httpd.conf file is rebuilt, I'm not sure if those changes would remain. The include statements would, and the cleanup processes do not touch the included files.

    In regards to the suPHP_ConfigPath line, make sure this is just the full path to the directory that contains the php.ini file and not the full path of the php.ini file.
    Just tested it and it works.

    Yes I know about the issue where its going to wipe out my customisations, its something i really need to work on and figure out how i will do them all without directly touching the httpd.conf.

    I wonder if it might be possible to get clever and create some kind of cPanel plugin which controls custom php.ini, so it is included in feature manager and if i enable it for a user they then have a plugin which allows them to edit php.ini stored somewhere like /etc/phpconf/user/php.ini :/ but would need to find a way to have cpanel automatically create the directory and dump a copy of my global php.ini (the default one) into the custom phpconf thing :/

    And then could just have <IfModule mod_suphp.c>
    <Location />
    suPHP_ConfigPath /etc/phpconf/USERNAME/
    </Location>
    </IfModule>

    in the default vhost templates or something :/

  11. #11
    Registered Member
    Join Date
    Aug 2002
    Posts
    1,185

    Default

    How many of your users are requiring custom php.ini files?

    If all of your users are needing a setting adjusted in the php.ini file then it might be a good idea to consider changing this variable globally in the global php.ini file. It depends on what the setting is, you would just have to weigh the pros and cons to this. In my experience, very few users need custom php.ini files on a server.

  12. #12
    Registered Member dansgalaxy's Avatar
    Join Date
    Jan 2007
    Location
    Reading, UK
    Posts
    92
    cPanel/WHM Access Level

    Root Administrator

    Default

    Quote Originally Posted by sparek-3 View Post
    How many of your users are requiring custom php.ini files?

    If all of your users are needing a setting adjusted in the php.ini file then it might be a good idea to consider changing this variable globally in the global php.ini file. It depends on what the setting is, you would just have to weigh the pros and cons to this. In my experience, very few users need custom php.ini files on a server.
    Well ideally I would be looking to have the global php.ini as very strict security wise, and if users (inc quite a few of my own sites/accounts!) need functions like shell_exec etc or need higher exec time for a script etc i can then allow it on a as needed basis.

    Basically want to keep reins tight so i can keep an eye on who has the leeway

  13. #13
    Registered Member
    Join Date
    Jun 2006
    Posts
    146

    Default

    I am also looking for an automated way to do this.

    Reason being, I want that all users when their cpanel account is created, will automatically create a directory /home/user/tmp and custom php.ini file in /etc/home/tmp/user then put session.save_path = /home/user/tmp directory (this would mean override must be on but since php.ini is outside of their directory they dont have access).

    Of course the permission of /home/user/tmp directory must be writable by this user in suphp + suexec so they can dump the php session files there

    Any ideas how to do this?

  14. #14
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,553
    cPanel/WHM Access Level

    DataCenter Provider

    Arrow Friendly Moderator Note

    I've moved a few of the latest replies into a new thread to help differentiate the two topics.

    New Thread: Help with custom php.ini - cPanel Forums

  15. #15
    Registered Member cPanel Partner NOC Badge
    Join Date
    Oct 2007
    Location
    Ha Noi, Viet Nam
    Posts
    15

    Default

    If you want to force all users using global php.ini . With suPHP, you can edit:
    /opt/suphp/etc/suphp.conf
    and uncommenting these lines:
    [phprc_paths]
    ;Uncommenting these will force all requests to that handler to use the php.ini
    ;in the specified directory regardless of suPHP_ConfigPath settings.
    ;application/x-httpd-php=/usr/local/lib/
    ;application/x-httpd-php4=/usr/local/php4/lib/
    ;application/x-httpd-php5=/usr/local/lib/

Page 1 of 4 123 ... LastLast

Similar Threads

  1. open_basedir with suphp on global php.ini?
    By morrow95 in forum Security
    Replies: 5
    Last Post: 10-19-2012, 08:09 PM
  2. suPHP php.ini question
    By lowhigh in forum New User Questions
    Replies: 3
    Last Post: 06-29-2011, 02:31 AM
  3. php.ini / suphp / suhosin
    By gsus in forum cPanel & WHM Discussions
    Replies: 4
    Last Post: 06-02-2010, 09:00 AM
  4. [suPHP] one php.ini for each cpanel user?
    By colorcloud in forum Security
    Replies: 4
    Last Post: 12-29-2009, 01:44 PM
  5. suPHP & php.ini configuration
    By Kurieuo in forum cPanel & WHM Discussions
    Replies: 2
    Last Post: 02-12-2009, 01:36 PM

Tags for this Thread

bargain