How can I protect php.ini with suPHP?

[dansgalaxy]

Hey,

Recently re-setup a server and want to give it a security overhaul. Set it up with SuPHP and would like to find a way to properly secure the ability for local php.ini files.

I was hoping they would work like .htaccess where each part overrides the global one, unfortunately that doesn't seem to be the case.

One plan of action I have is to have the php.ini files set to readonly and possibly owned by root so they can be used but not edited by the user, so they cant stick what they like in it!

But at the moment it appears i would have to duplicate the global php.ini file into every user directory and set it with readonly, which is darn near impossible and i would then need to find a way to have the PHP.ini automatically copied into every new folder and a whole load of other hassels.

Is there a way around this problem? Is there a way I can disallow users creating or editing php.ini files full stop? And then if/when they need a custom setting I (root) has to do it?

Thanks,
Dan

 

[jdlightsey]

You have a few different options with mod_suphp...

1) You can allow the users to set up their own php.ini files as they see fit. This is the default configuration.

2) You can force all users to use a single php.ini file. This is done by setting the phprc_paths in /opt/suphp/etc/suphp.conf. If you set this it will override any other settings in .htaccess files or httpd.conf.

3) You can control which php.ini is used for each account using suPHP_ConfigPath. This directive can be used in httpd.conf and in .htaccess files, so if you want to lock a particular account to a certain php.ini you'd need to set suPHP_ConfigPath for that account in an include file and remove Options from the AllowOverride list for that VirtualHost.

 

[dansgalaxy]

Would it be possible to set it up so all accounts by default have to use the gloabl PHP.ini (in /usr/local/lib/php.ini)

and then I can manually allow certain accounts to use a local one?

 

[dansgalaxy]

Can it be done?

Ideally would like a way to by default lock users to global php.ini and be able to manually allow certain accounts to use other php.ini? :s

 

[dansgalaxy]

OK I have found a way to disable suphp_ConfigPath in htaccess, however I have no clue how to implement this in my current installation.

spareknet.org

This says

8. Modify the mod_suphp.c file
This is the last file modification. In this modification, I am going to disable the suPHP_ConfigPath from being used in users .htaccess files. If users want to bypass a php.ini directive, I want to know about it. With this disabled, if a particular user needs a PHP directive changed, they will have to have the server administrator customize a php.ini for them and then reference this in the httpd.conf file. This is explained in more detailed near the end of this guide.

Change:

suphp-0.6.1/src/apache/mod_suphp.c (Line 339)
{”suPHP_ConfigPath”, suphp_handle_cmd_config, NULL, OR_OPTIONS, TAKE1,
To:

{”suPHP_ConfigPath”, suphp_handle_cmd_config, NULL, RSRC_CONF|ACCESS_CONF, TAKE1,

How can i do this on my current installation?

 

[dansgalaxy]

*BUMP*

Anyone? Please...

 

[sparek-3]

All of the information in that post on the website is greatly outdated. I think I started that before cPanel offered suPHP as an option.

I believe you can get around this by using ordering preference in Apache.

In /usr/local/apache/conf/includes/pre_main_global.conf add the lines:

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /path/to/php.ini
</Location>
</IfModule>

Note that suPHP_ConfigPath should be just the directory location of the php.ini file. It should not be the full path to the php.ini file, just the full path to it's directory.

The /usr/local/apache/conf/includes/pre_main_global.conf file may not exist or may be empty. That is fine, this file is already included in the Apache set up.

Restart Apache for the changes to go into affect.

/scripts/restartsrv_httpd

The <Location> will override any suPHP_ConfigPath in the user's .htaccess file.

Then if a user needs a customized php.ini follow the instructions at:

http://forums.cpanel.net/361496-post10.html

That post deals mainly with enabling register_globals for an account, but you can change any values in the customized php.ini file for that account.

 

[dansgalaxy]

All of the information in that post on the website is greatly outdated. I think I started that before cPanel offered suPHP as an option.

I believe you can get around this by using ordering preference in Apache.

In /usr/local/apache/conf/includes/pre_main_global.conf add the lines:

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /path/to/php.ini
</Location>
</IfModule>

Note that suPHP_ConfigPath should be just the directory location of the php.ini file. It should not be the full path to the php.ini file, just the full path to it's directory.

The /usr/local/apache/conf/includes/pre_main_global.conf file may not exist or may be empty. That is fine, this file is already included in the Apache set up.

Restart Apache for the changes to go into affect.

/scripts/restartsrv_httpd

The <Location> will override any suPHP_ConfigPath in the user's .htaccess file.

Then if a user needs a customized php.ini follow the instructions at:

http://forums.cpanel.net/361496-post10.html

That post deals mainly with enabling register_globals for an account, but you can change any values in the customized php.ini file for that account.

Right ok, so could i not just have

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /path/to/php.ini
</Location>
</IfModule>

For each VirtualHost entry (and add it to the vhost template so it auto does it for new ones) and then to give someone a custom one all i do is manually set the path in config & restart apache?

 

[sparek-3]

Well, cPanel changed a lot of things with Apache2. It doesn't really allow for configuration editing. You can't directly edit the httpd.conf file.

The include setup is the preferred method of doing this because it insures that your changes remain after certain Apache cleanup process.

If you directly edit a virtualhost entry in the httpd.conf then when the httpd.conf file is rebuilt, I'm not sure if those changes would remain. The include statements would, and the cleanup processes do not touch the included files.

In regards to the suPHP_ConfigPath line, make sure this is just the full path to the directory that contains the php.ini file and not the full path of the php.ini file.

 

[dansgalaxy]

Well, cPanel changed a lot of things with Apache2. It doesn't really allow for configuration editing. You can't directly edit the httpd.conf file.

The include setup is the preferred method of doing this because it insures that your changes remain after certain Apache cleanup process.

If you directly edit a virtualhost entry in the httpd.conf then when the httpd.conf file is rebuilt, I'm not sure if those changes would remain. The include statements would, and the cleanup processes do not touch the included files.

In regards to the suPHP_ConfigPath line, make sure this is just the full path to the directory that contains the php.ini file and not the full path of the php.ini file.

Just tested it and it works.

Yes I know about the issue where its going to wipe out my customisations, its something i really need to work on and figure out how i will do them all without directly touching the httpd.conf.

I wonder if it might be possible to get clever and create some kind of cPanel plugin which controls custom php.ini, so it is included in feature manager and if i enable it for a user they then have a plugin which allows them to edit php.ini stored somewhere like /etc/phpconf/user/php.ini :/ but would need to find a way to have cpanel automatically create the directory and dump a copy of my global php.ini (the default one) into the custom phpconf thing :/

And then could just have <IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /etc/phpconf/USERNAME/
</Location>
</IfModule>

in the default vhost templates or something :/

 

[sparek-3]

How many of your users are requiring custom php.ini files?

If all of your users are needing a setting adjusted in the php.ini file then it might be a good idea to consider changing this variable globally in the global php.ini file. It depends on what the setting is, you would just have to weigh the pros and cons to this. In my experience, very few users need custom php.ini files on a server.

 

[dansgalaxy]

How many of your users are requiring custom php.ini files?

If all of your users are needing a setting adjusted in the php.ini file then it might be a good idea to consider changing this variable globally in the global php.ini file. It depends on what the setting is, you would just have to weigh the pros and cons to this. In my experience, very few users need custom php.ini files on a server.

Well ideally I would be looking to have the global php.ini as very strict security wise, and if users (inc quite a few of my own sites/accounts!) need functions like shell_exec etc or need higher exec time for a script etc i can then allow it on a as needed basis.

Basically want to keep reins tight so i can keep an eye on who has the leeway

 

[sharmaine001]

I am also looking for an automated way to do this.

Reason being, I want that all users when their cpanel account is created, will automatically create a directory /home/user/tmp and custom php.ini file in /etc/home/tmp/user then put session.save_path = /home/user/tmp directory (this would mean override must be on but since php.ini is outside of their directory they dont have access).

Of course the permission of /home/user/tmp directory must be writable by this user in suphp + suexec so they can dump the php session files there

Any ideas how to do this?

 

[cPanelDon]

Friendly Moderator Note

I've moved a few of the latest replies into a new thread to help differentiate the two topics.

New Thread: Help with custom php.ini - cPanel Forums

 

[hostvn]

If you want to force all users using global php.ini . With suPHP, you can edit:

/opt/suphp/etc/suphp.conf

and uncommenting these lines:
[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/

 

[mtindor]

I believe you can get around this by using ordering preference in Apache.

In /usr/local/apache/conf/includes/pre_main_global.conf add the lines:

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /path/to/php.ini
</Location>
</IfModule>

Note that suPHP_ConfigPath should be just the directory location of the php.ini file. It should not be the full path to the php.ini file, just the full path to it's directory.

The /usr/local/apache/conf/includes/pre_main_global.conf file may not exist or may be empty. That is fine, this file is already included in the Apache set up.

Restart Apache for the changes to go into affect.

/scripts/restartsrv_httpd

The <Location> will override any suPHP_ConfigPath in the user's .htaccess file.

Then if a user needs a customized php.ini follow the instructions at:

http://forums.cpanel.net/361496-post10.html

That post deals mainly with enabling register_globals for an account, but you can change any values in the customized php.ini file for that account.

Very useful and helpful, although including it in pre_main_global.conf didn't work for me. It seemed to have no effect there.

In all of the scenarios below I am running Apache 2.x and wanting SSL and non-SSL vhosts to be affected.

Scenario #1: I want to force all users to use the primary php.ini file but i want a single user, bobdog, to have a custom php.ini file (/home/bobdog/php.ini)

a. create /usr/local/apache/conf/userdata/suphp_configpath.conf containing:

#note: do not include php.ini itself - just the path - ex: /usr/local/lib/
<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath [B]/usr/local/lib/[/B]
</Location>
</IfModule>

b. create /usr/local/apache/conf/userdata/std/2/bobdog/suphp_configpath.conf and /usr/local/apache/conf/userdata/ssl/2/bobdog/suphp_configpath.conf, with each of those files containing:

#note: do not include php.ini itself - just the path to bobdog's homedir
<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath [B]/home/bobdog/[/B]
</Location>
</IfModule>

Scenario #2: I want to force all users to use the primary php.ini file but i want a single user, bobdog, to have a custom php.ini file, but only for bobdoglikescpanel.com, one of his 10 domains (/home/bobdog/public_html/bobdoglikescpanel.com/php.ini)

a. create /usr/local/apache/conf/userdata/suphp_configpath.conf containing:

#note: do not include php.ini itself - just the path - ex: /usr/local/lib/
<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath [B]/usr/local/lib/[/B]
</Location>
</IfModule>

b. create /usr/local/apache/conf/userdata/std/2/bobdog/bobdoglikescpanel.com/suphp_configpath.conf and /usr/local/apache/conf/userdata/ssl/2/bobdog/bobdoglikescpanel.com/suphp_configpath.conf, with each of those files containing:

#note: do not include php.ini itself - just the path to the root web of bobdoglikescpanel.com
<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath [B]/home/bobdog/public_html/bobdoglikescpanel.com/[/B]
</Location>
</IfModule>

Then:

c. /scripts/verify_vhost_includes

Check integrity of the include files I guess?

d. If #3 checks ok, then /scripts/ensure_vhost_includes --all-users

Applies the vhost includes that apply to all users (i.e. in /usr/local/apache/conf/userdata/*.conf I guess) ?

e. /scripts/ensure_vhost_includes --user=bobdog

Applies the specific vhost includes for user bobdog and his domains I guess?


At any rate, this worked for me. All the sites on the server are restricted to using only the default php.ini in /usr/local/lib/php.ini except for bobdog, who either gets a custom php.ini to use for all of his domains (scenario #1) or a single domain of his (scenario #2).

If some other user attempts to drop a php.ini file in their own directory structure, it is ignored.

With all of that said, I'm not sure why it didn't work for me when I put it in pre_main_global.conf.

For others reading, keep in mind that It can even be made more secure by having the users' custom PHP files outside of their homedirs to where only the admin can access/modify them - i.e. exactly what Sparek described how to do in a link he posted earlier in this thread.

I also have not figured out yet if a newly added user automatically has that include applied to them as well, or if I would have to re-run /scripts/ensure_vhost_includes --all-users each time I add a new user. I'm hoping it's automatic. I need to delve further into the Twiki info.

Thanks, Sparek, for your tutorial on how to do this.

Mike

 

[santrix]

I'm on a steep learning curve reading all this.

I have added

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /usr/local/lib
</Location>
</IfModule>

To the /usr/local/apache/conf/includes/pre_main_global.conf file (which was empty beforehand. /usr/local/lib being the path to my php.ini.

Am I right in believing this should now prevent any php.ini files in user's directories from being processed?

Is there a simple way i can test this? I'm not a whiz with php directives... is there something I could put in a local php.ini file to definitely break a site just to test it is being ignored? Cheers!

UPDATE TO POST

hostvn got it right earlier in this thread... doing the above in /usr/local/apache/conf/includes/pre_main_global.conf made no difference on my server...

Only by editing /opt/suphp/etc/suphp.conf

and uncommenting the lines as follows:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
application/x-httpd-php=/usr/local/lib/
application/x-httpd-php4=/usr/local/php4/lib/
application/x-httpd-php5=/usr/local/lib/

could I force all user accounts to use the central php.ini

Now all I have to work out is how to allow a single account to override...

 

[PitaBread]

OK, I've got a couple of questions related to forcing everyone to use a single php.ini with suphp. I see a bunch of discussion here about modifying /opt/suphp/etc/suphp.conf. Is that the proper way to lock everyone into the single php.ini? I also see in EasyApache that there is a option (under the full list of PHP compile options) that says 'safe php cgi'. The notes next to that say that if this option is enabled they can't override the system php.ini.

Which is the 'proper' way to do it? My preference (if it works properly) would be to use the PHP compile option as I'm afraid that a upcp will overwrite our customized suphp.conf.

My second question has to do with actually overriding the php.ini for a single site. From the above discussion we understand how to put the override in place (to look at a custom php.ini for their domain). My question is: the custom php.ini needs to be a complete copy of the system php.ini with the item(s) that they needed modified changed? In other words if we created a custom php.ini with just the memory limit changed everything else would take 'default' values and not our settings in the main php.ini?

I hope this makes sense.

 

[Bahram0110]

Hi,
I read all threads and related links but I can not find:
How can I disable loading php.ini in users directory like home/username/public_html
when suphp & suexec is on
And Also use custom php.ini for some users

please help me

tnx

 

[JaredR.]

How can I disable loading php.ini in users directory like home/username/public_html
when suphp & suexec is on

Before I go on, I would like to mention that suexec and suphp are not related. suexec is for CGI scripts, and suPHP is for PHP scripts. There may be some confusion because there was once a phpSuExec option that has been replaced by suPHP. Currently, suPHP and suexec are used for different types of scripts and they are not related to each other.

You can prevent users from using custom php.ini files using suPHP by uncommenting (removing the semicolons - from the following directives in /opt/suphp/etc/suphp.conf:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/

However, this will not allow you to use a custom php.ini file for only certain users. The only other way I can think of to do what you want would be to leave the above lines in suphp.conf alone, and add the following to most users' .htaccess files:

suPHP_ConfigPath /path/to/file

Replace /path/to/file with the path to the php.ini file you wish the user to use. You would then need to change the permissions on the .htaccess file to prevent the user from editing it.