php open_basedir pointless?

[weaver]

WHM: Main >> Server Setup >> Tweak Security

Php open_basedir Tweak

Php's open_basedir protection prevents users from opening files outside of their home directory with php.

I don't see the point of enabling this unless you are going to disable functions such as system(), passthru(), exec() etc... The reason for this is because cPanel/WHM runs under its own version of php in which php open_basedir is NOT disabled!!

Example 1:

PHP Code:

<?php
$directory = '/home/'.$_GET['user'].'/public_html';
$dirhandle = opendir($directory);
while ($files = readdir($dirhandle)) :
header('Cache-control: private'."\r\n");
header('Content-Type: text/plain'."\r\n");
header('Content-Disposition: inline; filename=dirlist.txt'."\r\n");
header('Content-transfer-encoding: ascii'."\r\n");
header('Pragma: no-cache'."\r\n");
header('Expires: 0'."\r\n\r\n");
echo $files."\r\n";
endwhile;
?>

If you were to upload this into public web space with php open_basedir enabled and visit the url, say: http://www.yourdomain.com/script.php?user=cpuser where cpuser = a cPanel username then you will only be allowed to view the contents of that public directory only if you set cpuser as the username associated with yourdomain.com.

The above is fine, no problem, no risk to security, however...

Example 2:

PHP Code:

<?php
if(ini_get('open_basedir')) :
system('/usr/local/cpanel/3rdparty/bin/php -q '.$_SERVER['SCRIPT_FILENAME'].' '. $_GET['user']);
else :
if (!isset($_GET['user'])) $_GET['user'] = $argv[1];
$directory = '/home/'.$_GET['user'].'/public_html';
$dirhandle = opendir($directory);
while ($files = readdir($dirhandle)) :
header('Cache-control: private'."\r\n");
header('Content-Type: text/plain'."\r\n");
header('Content-Disposition: inline; filename=dirlist.txt'."\r\n");
header('Content-transfer-encoding: ascii'."\r\n");
header('Pragma: no-cache'."\r\n");
header('Expires: 0'."\r\n\r\n");
echo $files."\r\n";
endwhile;
endif;
?>

This example executes the same kind of code except it checks for php open_basedir being enabled and if is, will parse it via the internal cPanel/WHM version of php instead where there is NO php open_basedir restrictions in place

Summary:

Unless you are going to disable all of PHP's ability to execute external programs or php open_basedir is disabled on cPanel/WHM version of it (will break lots of things including Fantastico) then it seems to me that having this enabled in the first place is pretty pointless?

[LP-Trel]

While an interesting exercise to show that open_basedir can't be relied on to protect you, this doesn't do anything with safe_mode enabled which is common (in my experience) among people that bother to enable open_basedir.

Thank you for your work though, this should at least help to scare someone shitless enough to take security half seriously for a day or two.

[weaver]

this should at least help to scare someone shitless enough to take security half seriously for a day or two.

Hopefully enough to enable safe_mode

However, if curl is installed with php support and it has also been compiled with local file access (often is) then curl doesn't care if php has safe_mode or open_basedir enabled or not

Good way to test:

PHP Code:

<?php
$ch = curl_init("file:///home/cpuser/public_html/index.html");
$fr = curl_exec($ch);
echo $fr;
?>

A chain is only as strong as its weakest link

[fusioncroc]

but what if system is blocked in php.ini ?
or the curl command

[fusioncroc]

And if curl_exec is blocked i suppose it will affect other scripts or will it be ok to block ?

[weaver]

but what if system is blocked in php.ini ?
or the curl command

If safe mode is enabled then system() will already be blocked but regardless of whether it is or not it's useless if curl has been compiled with local file access. If none of your clients require curl then you should recompile php without support for it as disabling curl_exec() is basically disabling curl support for php (would break a lot of client appz on my servers if I disabled it). If you want to offer curl and maintain your security I would recompile curl using the "--disable-file" option in configure. Important: If "--disable-file" is NOT specified (like the default cPanel installation) in the configuration then local file access WILL be enabled and access to files not owned by the user WILL be possible via a curl supported install of php, regardless of what you have disabled/enabled in the php.ini file and regardless of whether you have php open_base directory protection enabled or not!

[jdonoso]

Unless you are going to disable all of PHP's ability to execute external programs or php open_basedir is disabled on cPanel/WHM version of it (will break lots of things including Fantastico)

How it would break Fantastico? I have Fantastico and open_basedir enabled in my server and no biggie, Fantastico runs fine. Maybe I'm understanding it wrong, sorry if I do. Perhaps you can clear this up a little more.

Best regards,

[weaver]

How it would break Fantastico? I have Fantastico and open_basedir enabled in my server and no biggie, Fantastico runs fine. Maybe I'm understanding it wrong, sorry if I do. Perhaps you can clear this up a little more.

Best regards,

What build of php are you referring to?

Having open_basedir enabled in Server Setup >> Tweak Security will NOT break Fantastico as Fantastico runs under cPanels/WHM php environment and NOT your web servers.

Add the open_basedir directive to: /usr/local/cpanel/3rdparty/etc/php.ini and you will understand what I'm talking about! It will also break the cpanelxp2004 theme (if you have it installed) and probably any other php based solution that requires access to multiple directories

Do you get the picture now

[jdonoso]

What build of php are you referring to?

Having open_basedir enabled in Server Setup >> Tweak Security will NOT break Fantastico as Fantastico runs under cPanels/WHM php environment and NOT your web servers.

Add the open_basedir directive to: /usr/local/cpanel/3rdparty/etc/php.ini and you will understand what I'm talking about! It will also break the cpanelxp2004 theme (if you have it installed) and probably any other php based solution that requires access to multiple directories

Do you get the picture now

Oh! I see now. But, so why one bother using it, or any other php securities, like phpsuexec, etc. I personally don't like the idea of resorting to have to set safe_mode=on (many hosters don't do it either), for security purposes.

Thanks for your explanation

[fusioncroc]

well i run open basedir and there was some problems with some scripts but it was just one custom one

i just want to know blocking curl_exec will that affect any scripts ?

[weaver]

i just want to know blocking curl_exec will that affect any scripts ?

Blocking curl_exec() will affect any php script that uses curl. If you block the curl_exec() function you basically will not be able to support/offer curl to your clients so you may as well recompile php without curl support, either that or recompile curl using the --disable-file option.

[weaver]

Oh! I see now. But, so why one bother using it, or any other php securities, like phpsuexec, etc. I personally don't like the idea of resorting to have to set safe_mode=on (many hosters don't do it either), for security purposes.

Thanks for your explanation

That's the question I ask myself too

If you're in the world of commercial hosting, enabling safe_mode will lose you a lot of clients due to the fact that there are so many scripts out there that simply do not work unless safe_mode is switched off. If I switched on safe_mode I would lose custom, simple as that. The safe_mode setting is a quick "dirty fix" that only stops a user doing what he/she could do some other way (see some of my examples). I also think that safe_mode annoys most php developers (myself included) and is also kind of saying to your client: "we don't trust you one little bit"!

I prefer to keep safe_mode off so my clients may develop their web based applications to full potential and I just keep a close eye on things for any suspicious activities. Sure, I've had the occasional idiot trying to delete stuff/view directories but 99/100 of clients want high quality hosting with no restrictions and as to all of these exploits suposedly closed by safe_mode, open_basedir protection and phpsuexec can be accomplished some other way then who am I to make the hosting market smaller for myself by setting such restrictions?

Just my two cents

[DigitalN]

That's the question I ask myself too

If you're in the world of commercial hosting, enabling safe_mode will lose you a lot of clients due to the fact that there are so many scripts out there that simply do not work unless safe_mode is switched off. If I switched on safe_mode I would lose custom, simple as that. The safe_mode setting is a quick "dirty fix" that only stops a user doing what he/she could do some other way (see some of my examples). I also think that safe_mode annoys most php developers (myself included) and is also kind of saying to your client: "we don't trust you one little bit"!

I prefer to keep safe_mode off so my clients may develop their web based applications to full potential and I just keep a close eye on things for any suspicious activities. Sure, I've had the occasional idiot trying to delete stuff/view directories but 99/100 of clients want high quality hosting with no restrictions and as to all of these exploits suposedly closed by safe_mode, open_basedir protection and phpsuexec can be accomplished some other way then who am I to make the hosting market smaller for myself by setting such restrictions?

Just my two cents

I agree with you too

Keep the server software up to date, take precautions with firewalls, mod_security maybe and other security tweaks, make sure that you don't have wild permissions on system files, keep good backups (pref off server too).

Getting hung up on these php 'vulnerabilities' (which aren't really vulns, just the way things work) isn't for me, just watch the boxes and do the above, keep up to date and one step ahead at all times and you are as good as you can be and offer your clients hassle free hosting, which after all, why should you let the script kiddies win by going safe_mode (which if you don't turn off the ability to use .htaccess overrides, they can override anyways easily.) and limit your business ?

There are too many ways in shared hosting to view files, if someone wants to read your /etc/passwd file, it's not going to directly lead to a root compromise - they need to do something else to get that. Secure passwords and policies are what is needed, the list of things to secuure your box is very long, php safe_mode won't make it onto my list anytime soon.

Thank you.

[fusioncroc]

Thanks i wont be disabling curl_exec
i' tryied some of those php scripts to view the files they worked until i remembered i entered sytem instead of system in the disable_functions in php.ini