open_basedi and userdir problem

[soulmaster]

hello
i'm here to ask for help

on enabled mod_userdir, open_basedir restrictions not affects, if user goes to http://ip/~user.
in this case phpsuxec restrictions also not affects, because URL-s like http://ip/~user apache executs as user nobody, which have read permissions on all public_html directories

so,if this some misconfiguration issue ?
or is there any other posibility to give the users access to their sites, with disabled mod_userdir ?

thaks in advance

[tuxicans]

Please make sure "default host" is excluded from userdir protection,
and use the URL in the format http://hostname/~user

See if that works.

[soulmaster]

it does not matter if it's hostname or ip
if user goes to http://hostname/~user, open_basedir restrictions not affects

[okeith]

Hi everyone,
It seems to me that this issue is not resolved,
does anyone have any further suggestions?

soulmaster - did you find any solution to this?

[cPanelDavidG]

hello
i'm here to ask for help

on enabled mod_userdir, open_basedir restrictions not affects, if user goes to http://ip/~user.
in this case phpsuxec restrictions also not affects, because URL-s like http://ip/~user apache executs as user nobody, which have read permissions on all public_html directories

so,if this some misconfiguration issue ?
or is there any other posibility to give the users access to their sites, with disabled mod_userdir ?

thaks in advance

Is there any particular reason your users must go to IP/~user to access their website rather than the domain set up on their cPanel account? Usually this is only used if the customer has an existing domain they are transferring to your server since the DNS propagation can take a couple of days. This is not often used as a permanent solution.

[okeith]

Thanks for the quick reply David,

It sounds like you're saying the userdir feature is unusable,
or how can it be used in a temporary capacity in the manner
you mentioned, if it cannot be left enabled on the server
given the implications? Also, what about shared SSL?

[cPanelDavidG]

Thanks for the quick reply David,

It sounds like you're saying the userdir feature is unusable,
or how can it be used in a temporary capacity in the manner
you mentioned, if it cannot be left enabled on the server
given the implications? Also, what about shared SSL?

The userdir feature of Apache has its drawbacks, hence we have the option in WHM's Security center to disable userdir (called: enabling mod_userdir protection). The main issue is that whatever user has the domain or IP portion of IP/~username will have all bandwidth used by /~username added to their account. This means one user can "steal" another user's bandwidth.

Also, PHP running as CGI (including FastCGI and SuPHP) will not run scripts within /~username as the username after ~, as one may think it would.

You mention you're using phpSuExec. You may want to update to SuPHP since we haven't supported phpSuExec for a while.

It is good practice to have users access their domain using example.com (where example.com represents their domain) rather than somethingelse/~username. However, it is common to allow /~username in instances where DNS propagation issues exist and for shared SSL certificates.

Using the mod_userdir protection screen in WHM's Security Center, you can enable/disable this protection on a per-user basis.

Enabling protection = no ability to access via /~username
Disabling protection = ability to access via /~username

If you are using shared SSL certificates, I recommend only disabling the protection for users that are using these shared SSL certificates and for users whose DNS has not yet propagated.