The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

custom .user.ini files with FastCGI

Discussion in 'Security' started by josuablirup, Jul 25, 2013.

  1. josuablirup

    josuablirup Registered

    Joined:
    Feb 8, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello everyone

    We would like on occasion to use custom php settings for some our clients but most of the time we want to make sure they are forced to use the settings from the main php.ini file

    We currently have the following issue:

    1. This can be accomplished by using .user.ini files but these files give us the opportunity to edit any php setting we like - we consider this a security threat.
    2. We have tried to create .user.ini files as root and set restriction to 0444 but the user can access the file from "File Manager" without any problems and edit the file

    Is there any way to either:

    1. Block users from having access to /home so that they only have access to /home/public_html?
    2. Make the file only editable by root?

    We use FastCGI so setting anything in .htaccess or custom php.ini files in public_html is prevented (which we want).

    We have already tried to create a wrapper for CGI using:

    [ -f ~/php.ini ] && exec /usr/bin/php -c ~/
    exec /usr/bin/php

    This makes it possible for us to create php.ini files in every users /home directory but this does little to correct the issue since the user has full access to edit the files. The only solution we have so far come across has to make the files immutable.

    We look very much forward to getting some input
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,696
    Likes Received:
    656
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    If a file has 0444 permissions, it means anyone can read it. You can modify the permissions of the file to 0400 or 0600 if you want to make it unreadable.

    Thank you.
     
  3. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    With 0444 being read-only, shouldn't the file manager NOT allow the user to edit the file?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,696
    Likes Received:
    656
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    If you want the file to be unreadable, make it 0400 (or 0600). Here is a quote from one of our developers that better explains this:

    Thank you.
     
Loading...

Share This Page