Disabling open_basedir per user with CLI

[xfactor5]

Hi,

I searched everywhere and could not find anything.

I have to disable open_basedir protection per user via command line or some other way that can be used inside our API in a programmatic way.

I don't want to disable it completely for everyone due to security reasons. I also checked WHM API, but there is no open_basedir function there.

Is there a method for doing this with CLI or some other way that can be used programmatically?

Thanks

 

[cPanelMichael]

Hello,

Can you verify which PHP handler is enabled for the account you want to disable it on? You can check to see which PHP handler is enabled via "WHM >> MultiPHP INI Manager".

Thank you.

 

[xfactor5]

Hi,
It's not one specific account. We must do it for many accounts programmatically. But anyway we would use eaphp71 (our code base is PHP 7.1) and the web server is LiteSpeed.
Every time a new website is made with our site builder, we create a Cpanel account and that account loads our CMS's PHP files from one master Cpanel account to prevent lots of identical copies.
We trust our own code, but the problem is that we if disable it server wide, security would be compromised by some accounts that use 3rdparty scripts like our forum.
Therefore, we must disable openbase_dir for each user after we create a new account with WHM API.
Regards

 

[cPanelMichael]

Hello,

The "open_basedir" directive is manually added to the php.ini file (unless you are using the DSO handler), so you'd setup a script that adds a custom open_basedir entry to an account's php.ini file upon creation. Here's a UAPI function you can use to edit an account's php.ini file:

UAPI Functions - LangPHP::php_ini_set_user_content - Software Development Kit - cPanel Documentation

Thank you.

 

[xfactor5]

Hi,
It does not work, it's like it has no effect. And I am not surprised because it should not work with UAPI and users CPanel account! If any user can disable openbase_dir from their control panels, this would be a huge security risk because it means anyone can access files server wide just by adding a few directives.
The openbase_dir tweak is part of WHM not Cpanel and therefore if there is gonna be an API, it must be in WHM API not UAPI.
Any other solutions? I don't want to mess with http.conf!
Thanks

 

[cPanelMichael]

Hello,

Can you browse to "WHM >> MultiPHP Manager" and verify if PHP-FPM is enabled for any of your domain names? Also, please post the output from the following command:

/usr/local/cpanel/bin/rebuild_phpconf --current

Thank you.

 

[xfactor5]

Hi,
No, it's not enabled. We use LiteSpeed and as far as I remember it has it's own LSAPI which is faster than PHP-FPM.
The output:

DEFAULT PHP: ea-php56
ea-php54 SAPI: suphp
ea-php55 SAPI: suphp
ea-php56 SAPI: suphp
ea-php70 SAPI: suphp
ea-php71 SAPI: suphp

But we mostly use PHP 7.1 and we are planning to make it default.
Thanks

 

[cPanelMichael]

Hello,

I believe this works differently when you use LiteSpeed. Here's a LiteSpeed blog post that you may find helpful:

Switching from Apache: Open_Basedir in the Shared Hosting Environment

Additionally, there's a thread here you may want to review as well:

[Solved] LSCache issue when disabling user

Let us know if this helps.

Thank you.