open_basedir not working - help!

**n000b** · 09-17-2007 02:25 AM

I've just noticed that my open_basedir protection is not working, and I am able to include other users file's on my server!

open_basedir is enabled in cPanel, and I verified that by looking in httpd.conf - this is what is in there (for one of the users):

ServerAlias auscong.com
ServerAdmin webmaster@auscong.com
DocumentRoot /home/auscong/public_html
BytesLog domlogs/auscong.com-bytes_log
User auscong
Group auscong
<IfModule mod_php4.c>
php_admin_value open_basedir "/home/auscong/:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir "/home/auscong/:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
ServerName www.auscong.com

As you can see, open_basedir *is enabled*. But I'm still able to include other users file's. Am I missing something obvious here or is open_basedir not working?

Thanks

**linux.newbie** · 09-17-2007 08:34 AM

Try
# /scripts/phpopenbasectl off
# /scripts/phpopenbasectl on
# /scripts/restartsrv_apache

**bin_asc** · 09-17-2007 10:28 AM

open_basedir isn`t effective. I saw the effect too. It won`t allow users to browse under /home/, but in /home/ it allows it. I`m switching to suPHP.

**cpanelkenneth** · 09-17-2007 03:01 PM

Originally Posted by bin_asc

open_basedir isn`t effective. I saw the effect too. It won`t allow users to browse under /home/, but in /home/ it allows it. I`m switching to suPHP.

Could you expound on that please? It's possible we are missing something, but I'm not fully understanding your statement above.

**bin_asc** · 09-17-2007 04:32 PM

openbase_dir is enabled on my server, but thing is that it keeps shell scripts from going under /home/, like /, or /root and so on, but it allows users to browse other /home/user/ directories.

**n000b** · 09-17-2007 05:19 PM

Originally Posted by linux.newbie

Try
# /scripts/phpopenbasectl off
# /scripts/phpopenbasectl on
# /scripts/restartsrv_apache

Nope, still doesn't work.

Am I doing something wrong or is there a bug somewhere here that is causing a massive security hole? Should others be checking to make sure their open_basedir is working correctly?

**bin_asc** · 09-18-2007 02:16 AM

Hoefully Kenneth will be able to give us some information.

**cpanelkenneth** · 09-18-2007 11:39 AM

By which means are they browsing:

1. www.WHM_HOSTNAME/~username
2. www.CPANEL_HOSTNAME/~username
3. http://ip.add.res.s/~username

Also, are you using mod_php, PHP CGI, suExec?

By browsing, do you mean with an actual web browser, or via PHP (e.g. using Curl, include, etc)?

Yeah - all that sounds pedantic, but it helps me determine what tests to run and explanations to fetch.

**bin_asc** · 09-18-2007 01:33 PM

Well, I was refering to shell scripts. A shell c99 script or r57 ... I can send you some shell scripts, if you want to try.

**bin_asc** · 09-18-2007 01:35 PM

Steps to reproduce :
Enable openbase_dir on all ( some ) accounts. Create a new account in WHM. Make sure openbase_dir is enabled for it. Upload a shell script ( like I said, I can provide one ). Start browsing other users /home/user/ files ....

**rustelekom** · 09-18-2007 06:22 PM

coudn't be more easy just run php script with phpinfo() inside in any /home/username/public_html and got same result? if you check openbase value in his output you will see that it is not set (if you do not set it in server php.ini). Cannot confirm for php module, but for suphp i can.

**bin_asc** · 09-18-2007 06:33 PM

It`s not the debate of whether it`s on or off, it`s that it doesn`t do what it is supposed to do.

**rustelekom** · 09-18-2007 06:46 PM

I woudn't like debate, i am only prefer easy way for realizing any things. At least in situation where it possible.
if someone ask me why it not work i would say that it happen because when you use suphp you should place php directives only and only in php.ini file inside user home directory where you would like change something. Placing php directives in virtual hosts section will be ignored.

**bin_asc** · 09-18-2007 07:08 PM

I`m not using suPHP, and neither is the other fella. If I were, I wouldn`t need openbase_dir.

**rustelekom** · 09-18-2007 07:44 PM

I don't know what version of apache/php you use, but for case: apache 1.3.xxx/php5.2.xxx probably it should work if you edit your virtualhost section like this:

ServerAlias auscong.com
ServerAdmin webmaster@auscong.com
DocumentRoot /home/auscong/public_html
BytesLog domlogs/auscong.com-bytes_log
User auscong
Group auscong
php_admin_value open_basedir "/home/auscong/:/usr/lib/php:/usr/local/lib/php:/tmp"

LinkBack

Thread Tools

open_basedir not working - help!

open_basedir restriction not working for HTTPS

open_basedir with phpsuexec - not working?

php open_basedir not working

php open_basedir Protection not working???

Tweak Security: PHP Open_basedir Not Working