custom .user.ini files with FastCGI

josuablirup

Registered
Feb 8, 2013
4
0
1
cPanel Access Level
Root Administrator
Hello everyone

We would like on occasion to use custom php settings for some our clients but most of the time we want to make sure they are forced to use the settings from the main php.ini file

We currently have the following issue:

  1. This can be accomplished by using .user.ini files but these files give us the opportunity to edit any php setting we like - we consider this a security threat.
  2. We have tried to create .user.ini files as root and set restriction to 0444 but the user can access the file from "File Manager" without any problems and edit the file

Is there any way to either:

  1. Block users from having access to /home so that they only have access to /home/public_html?
  2. Make the file only editable by root?

We use FastCGI so setting anything in .htaccess or custom php.ini files in public_html is prevented (which we want).

We have already tried to create a wrapper for CGI using:

[ -f ~/php.ini ] && exec /usr/bin/php -c ~/
exec /usr/bin/php

This makes it possible for us to create php.ini files in every users /home directory but this does little to correct the issue since the user has full access to edit the files. The only solution we have so far come across has to make the files immutable.

We look very much forward to getting some input
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
We have tried to create .user.ini files as root and set restriction to 0444 but the user can access the file from "File Manager" without any problems and edit the file
If a file has 0444 permissions, it means anyone can read it. You can modify the permissions of the file to 0400 or 0600 if you want to make it unreadable.

Thank you.
 

goodmove

Well-Known Member
May 12, 2003
637
3
168
josuablirup said:
We have tried to create .user.ini files as root and set restriction to 0444 but the user can access the file from "File Manager" without any problems and edit the file
cPanelMichael said:
If a file has 0444 permissions, it means anyone can read it.
With 0444 being read-only, shouldn't the file manager NOT allow the user to edit the file?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
With 0444 being read-only, shouldn't the file manager NOT allow the user to edit the file?
If you want the file to be unreadable, make it 0400 (or 0600). Here is a quote from one of our developers that better explains this:

This behavior is by design. Since the file is readable by all users, it is readable by the user in question. When saving files, to avoid problems when the user is over quota, we write to a temporary file, and if that was successful, rename(2) the file into place. Since the user has write permission in this directory, the rename is successful and the old file, along with its permissions, is destroyed.
Thank you.