SuPHP problem

[grzeg]

Hello!
I've got a new fresh cPanel install. I'v just compiled Apache + SuPHP ( "PHP Security" option at "EasyApache ( Apache Update )" ).
Everything is working fine except for the restrictions.
Simple PHP script, like "echo file_get_contents('/etc/passwd');", is able to read that file, which I'd rather avoid.
Is it a normal behavior or did I do something wrong? Do I have to create customs php.ini files for every user with variable "open_basedir"?

System: Centos 5.4 64bit
Kernel: 2.6.18-164.11.1.el5
cPanel: cPanel 11.25.0-R43473 - WHM 11.25.0

Best Regards!
Grzeg

[grzeg]

Alright, I will help you out

In httpd.conf I've made a global conf to define php.ini file:
suPHP_ConfigPath /usr/local/php

Apache is reading this file only ( no custom php.ini files allowed ).

In php.ini I set open_basedir restrictions:

/home:/usr/lib/php:/usr/local/lib/php:/tmp

Everything seems to be working fine, so I just want to ask you is it enough or is there enything else to change?
PHP code can not access e.g. /etc/passwd file anymore, and can't access other users homedirs.

[radeonpower]

Would be nice to get some input from cPanel here, is this a security threat?

[grzeg]

Would be nice to get some input from cPanel here, is this a security threat?

Theoretically no, because passwd file is not a big secret ( no password is stored in that file ), but I don't like to share all the informations with my clients.
Without "open_basedir" restriction users are allowed to read other dirs and files with global read permisson.

Apparently, SuPHP is blocking scripts trying to read other users webroots ( like /home/other_user/public_html/file.html ), so it looks like my solution should work properly.

[Spiral]

Yes you covered the basics for doing that ....

Be advised though that users could still override the restrictions
with a custom PHP.INI unless you modified the code and manually
recompiled or use function shadowing and do the same but what
you listed is generally a good start in the right direction.

[sukil]

Hi,

I cant understand anything that Spiral said.

Also, I dont see any cPanel moderator commenting on the seemingly excellent method posted by grzeg here. Is it safe to apply this technique only or one needs to do more or it simply does not work? I would like to guidance on this as all the other suggestions I have seen so far seem very tedious to maintain while this seems to do the job with very little maintenance.

Please comment.

Thank you,

S

[Infopro]

You want to prevent users from overriding php.ini?
Here's an older thread you might get some value from:
http://forums.cpanel.net/f185/server...ini-78137.html

[sukil]

That link does not help too! I am looking for some cPanel representative to comment here on what grzeg has recommended. Or please link me or guide me to a simple step by step way to secure a server with suPHP for existing and future accounts that requires less maintenance man hours of me to ensure security of the server. I am so confused about what is right being not so technical in these topics!

[Infopro]

You might do better to hire a professional to assist, or moved to managed hosting. That will surely Free up your man hours.
Dev & Sys Admin Services « Application Catalog

[sukil]

Actually I do have a managed hosting plan from SolarVPS and they say it is as it is and told me it is a hassle to maintain suPHP and go for DSO. However, since I find suPHP being recommended by cPanel and is provided as the default solution yet with security issues, I am looking for assistance here to how best resolve those security issues without too much of a maintenance aspect involved with about 200 existing and later on new accounts that will come onboard in the future.

[yapluka]

suPHP is certainly not a hassle to maintain. All our shared servers and all our customers's shared servers we manage are configured with suPHP with no problem at all and some servers are hosting up to 800 accounts.
You only need to make sure that :
1) Files and folders are owned by the user
2) Folders permissions are no higher than 755 and files permissions 644
3) .htaccess contain no php flag values

Custom php.ini are controled with suPHP_ConfigPath and we have written a small script that helps our customers to easily create one for their customers who need a custom configuration.