How can I protect php.ini with suPHP?

[WhiteDog]

Would anyone be interested in a script that does the following:

For installing a custom php.ini for a user
- copy suphp_configpath.conf to /usr/local/apache/conf/userdata/std/2/username/ and /usr/local/apache/conf/userdata/ssl/2/username/
- This suphp_configpath.conf would be configured with: suPHP_ConfigPath /home/username/
- Run /scripts/verify_vhost_includes and then /scripts/ensure_vhost_includes --all-users
- copy current php.ini to /home/username/

For maintenance
- Search all user dirs and replace all php.ini in /home/username/ with latest copy
- Preserve everything in e.g. [custom]

Security
- Find all custom php.ini

This script would allow for easy adding custom php.ini with the ability to easily maintain one global copy but still apply the changes.

I'm willing to create this and offer it free of charge if people are interested.

 

[ddcarnage]

I'm willing to create this and offer it free of charge if people are interested.

Yes! That would be awesome. I'm trying to figure out exactly how to do this and I'm finding it a bit complicated...

 

[CookieMonster]

Would anyone be interested in a script that does the following:

For installing a custom php.ini for a user
- copy suphp_configpath.conf to /usr/local/apache/conf/userdata/std/2/username/ and /usr/local/apache/conf/userdata/ssl/2/username/
- This suphp_configpath.conf would be configured with: suPHP_ConfigPath /home/username/
- Run /scripts/verify_vhost_includes and then /scripts/ensure_vhost_includes --all-users
- copy current php.ini to /home/username/

For maintenance
- Search all user dirs and replace all php.ini in /home/username/ with latest copy
- Preserve everything in e.g. [custom]

Security
- Find all custom php.ini

This script would allow for easy adding custom php.ini with the ability to easily maintain one global copy but still apply the changes.

I'm willing to create this and offer it free of charge if people are interested.

Yes it would be nice, i can pay for it

 

[CookieMonster]

Very useful and helpful, although including it in pre_main_global.conf didn't work for me. It seemed to have no effect there.

In all of the scenarios below I am running Apache 2.x and wanting SSL and non-SSL vhosts to be affected.

Scenario #1: I want to force all users to use the primary php.ini file but i want a single user, bobdog, to have a custom php.ini file (/home/bobdog/php.ini)

a. create /usr/local/apache/conf/userdata/suphp_configpath.conf containing:

#note: do not include php.ini itself - just the path - ex: /usr/local/lib/
<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath [B]/usr/local/lib/[/B]
</Location>
</IfModule>

b. create /usr/local/apache/conf/userdata/std/2/bobdog/suphp_configpath.conf and /usr/local/apache/conf/userdata/ssl/2/bobdog/suphp_configpath.conf, with each of those files containing:

#note: do not include php.ini itself - just the path to bobdog's homedir
<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath [B]/home/bobdog/[/B]
</Location>
</IfModule>

Scenario #2: I want to force all users to use the primary php.ini file but i want a single user, bobdog, to have a custom php.ini file, but only for bobdoglikescpanel.com, one of his 10 domains (/home/bobdog/public_html/bobdoglikescpanel.com/php.ini)

a. create /usr/local/apache/conf/userdata/suphp_configpath.conf containing:

#note: do not include php.ini itself - just the path - ex: /usr/local/lib/
<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath [B]/usr/local/lib/[/B]
</Location>
</IfModule>

b. create /usr/local/apache/conf/userdata/std/2/bobdog/bobdoglikescpanel.com/suphp_configpath.conf and /usr/local/apache/conf/userdata/ssl/2/bobdog/bobdoglikescpanel.com/suphp_configpath.conf, with each of those files containing:

#note: do not include php.ini itself - just the path to the root web of bobdoglikescpanel.com
<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath [B]/home/bobdog/public_html/bobdoglikescpanel.com/[/B]
</Location>
</IfModule>

Then:

c. /scripts/verify_vhost_includes

Check integrity of the include files I guess?

d. If #3 checks ok, then /scripts/ensure_vhost_includes --all-users

Applies the vhost includes that apply to all users (i.e. in /usr/local/apache/conf/userdata/*.conf I guess) ?

e. /scripts/ensure_vhost_includes --user=bobdog

Applies the specific vhost includes for user bobdog and his domains I guess?


At any rate, this worked for me. All the sites on the server are restricted to using only the default php.ini in /usr/local/lib/php.ini except for bobdog, who either gets a custom php.ini to use for all of his domains (scenario #1) or a single domain of his (scenario #2).

If some other user attempts to drop a php.ini file in their own directory structure, it is ignored.

With all of that said, I'm not sure why it didn't work for me when I put it in pre_main_global.conf.

For others reading, keep in mind that It can even be made more secure by having the users' custom PHP files outside of their homedirs to where only the admin can access/modify them - i.e. exactly what Sparek described how to do in a link he posted earlier in this thread.

I also have not figured out yet if a newly added user automatically has that include applied to them as well, or if I would have to re-run /scripts/ensure_vhost_includes --all-users each time I add a new user. I'm hoping it's automatic. I need to delve further into the Twiki info.

Thanks, Sparek, for your tutorial on how to do this.

Mike

Thanks for the tips, it works nice

 

[WhiteDog]

Would anyone be interested in a script that does the following:

For installing a custom php.ini for a user
- copy suphp_configpath.conf to /usr/local/apache/conf/userdata/std/2/username/ and /usr/local/apache/conf/userdata/ssl/2/username/
- This suphp_configpath.conf would be configured with: suPHP_ConfigPath /home/username/
- Run /scripts/verify_vhost_includes and then /scripts/ensure_vhost_includes --all-users
- copy current php.ini to /home/username/

For maintenance
- Search all user dirs and replace all php.ini in /home/username/ with latest copy
- Preserve everything in e.g. [custom]

Security
- Find all custom php.ini

This script would allow for easy adding custom php.ini with the ability to easily maintain one global copy but still apply the changes.

I'm willing to create this and offer it free of charge if people are interested.

I made a rudimentary version of a WHM plugon today that:
- Lists all users and indicated if there is a php.ini in /home/<user> or /home/<user>/www
- Does the things described in "For installing a custom php.ini for a user" above when clicking on the username.

I will improve the script a bit more first and then offer it for free offcourse

Feature request welcome as well.

EDIT:
available here: http://download.how2.be/whm/phpinimgr/
See readme.txt for details, more comming soon

 

[ujr]

Just tested it out and works nicely. Thank you!

 

[Lestat]

I made a rudimentary version of a WHM plugon today that:
- Lists all users and indicated if there is a php.ini in /home/<user> or /home/<user>/www
- Does the things described in "For installing a custom php.ini for a user" above when clicking on the username.

I will improve the script a bit more first and then offer it for free offcourse

Feature request welcome as well.

EDIT:
available here: Index of /whm/phpinimgr
See readme.txt for details, more comming soon

Script ran andplace php.ini in user root folder as the owner of the file is still root not the user. Running PHP 5.3. I currenlty have "disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fope" Not sure how I can use this for and individual user to make it "disable_functions =" Aslo a and uninstall from user would be nice as well.

So I changed the owner to the user and modified script and still nothing. Just trying to run phpinfo(); and the global one is still over writing it. Love the idea of the script and looking forward to one that works would be great. Or some help if I am missing something here.

 

[WhiteDog]

Script ran andplace php.ini in user root folder as the owner of the file is still root not the user. Running PHP 5.3. I currenlty have "disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fope" Not sure how I can use this for and individual user to make it "disable_functions =" Aslo a and uninstall from user would be nice as well.

So I changed the owner to the user and modified script and still nothing. Just trying to run phpinfo(); and the global one is still over writing it. Love the idea of the script and looking forward to one that works would be great. Or some help if I am missing something here.

I do not want users to be able to change the file, so I do not give the access to it
This should be turned into a setting off course.

I did not test on PHP 5.3 yet (I will i a few days) nut I assume it makes no difference.

Can you just manually verify if the following is there (this is the manual procedure):
- copy suphp_configpath.conf to /usr/local/apache/conf/userdata/std/2/username/ and /usr/local/apache/conf/userdata/ssl/2/username/
- This suphp_configpath.conf would be configured with: suPHP_ConfigPath /home/username/
- Run /scripts/verify_vhost_includes and then /scripts/ensure_vhost_includes --all-users
- copy current php.ini to /home/username/

 

[Lestat]

I do not want users to be able to change the file, so I do not give the access to it
This should be turned into a setting off course.

I did not test on PHP 5.3 yet (I will i a few days) nut I assume it makes no difference.

Can you just manually verify if the following is there (this is the manual procedure):
- copy suphp_configpath.conf to /usr/local/apache/conf/userdata/std/2/username/ and /usr/local/apache/conf/userdata/ssl/2/username/
- This suphp_configpath.conf would be configured with: suPHP_ConfigPath /home/username/
- Run /scripts/verify_vhost_includes and then /scripts/ensure_vhost_includes --all-users
- copy current php.ini to /home/username/

The manual steps you have work but I believe it is only for PHP 5.2. This is a nice script but wish there was a PHP 5.3 supprt one out there to give certain user access to there own private php.ini file to use like shell_exec or phpinfo...etc.

PHP 5.3 supports a new type of setting to make all this easier but not being very successful
user_ini.filename = .my.ini

 

[WhiteDog]

The manual steps you have work but I believe it is only for PHP 5.2. This is a nice script but wish there was a PHP 5.3 supprt one out there to give certain user access to there own private php.ini file to use like shell_exec or phpinfo...etc.

PHP 5.3 supports a new type of setting to make all this easier but not being very successful
user_ini.filename = .my.ini

If someone explains how to do this in PHP 5.3 I will update the script.
This psot explains it (http://forums.cpanel.net/f185/metho...ricting-who-can-use-php-ini-files-167186.html) but that's not working for you?

 

[Lestat]

If someone explains how to do this in PHP 5.3 I will update the script.
This psot explains it (http://forums.cpanel.net/f185/metho...ricting-who-can-use-php-ini-files-167186.html) but that's not working for you?

I tried the 2 methods mentioned and no go...

 

[Lestat]

PHP 5.3.10 (cli) (built: Mar 15 2012 18:14:32)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
with the ionCube PHP Loader v4.0.12, Copyright (c) 2002-2011, by ionCube Ltd., and
with Zend Guard Loader v3.3, Copyright (c) 1998-2010, by Zend Technologies
with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH

 

[WhiteDog]

I have just tested with PHP 5.3.10 using the "old" method. This still works for me.
The "new" method with the .my.ini I don't like vecause you can not alter PHP_INI_SYSTEM variables with it (see PHP: List of php.ini directives - Manual).

I will update phpinimgr to be able so it:
- Can update all custom php.ini files with the default one but preserving the directives under [phpinimgr_custom]
- Removes all entries found in the custom directive from anywhere else
- allows you to UNCOMMENT entries in the custom directive, and removes their uncommented counterparts from anywhere else in the file (so you can e.g. put ";extension=homeloader.so" as a custom directive, and then "extension=homeloader.so" is removed).

 

[WhiteDog]

i have released a new version of phpinimgr today - 0.5

Changelog

• Commented entries can now be added. The uncommented counterpart is removed. NOTE: requires *exact* match
• Added ability to update all custom php.ini files with the global php.ini file, preserving all custom directives
• Added editor for custom php.ini entries
• Added option to make user own the php.ini file
• Added option to take a backup during updates
• User accounts are now sorted alphabetically

Download and instructions
Index of /whm/phpinimgr

ENJOY !

 

[freemannn]

I did this using cPanel templates (vhost.local) and I can use different php.ini (by user, by package).

So every new account will have his own php.ini (accessible just by root), users cannot use suphp_Configpath in their .htaccess (if they will use this they will receive a 500 error, and is not working because the location for php.ini can be just one - accessible just by root). If a user want something that is disabled , I'll enable just for that user modifying this php.ini. Everything is automatically and with another script I am checking for changes at update moment, and append what I need in cPanel templates. Like this you have 100% control on your server (regarding PHP).

 

[h100]

Whitedog,

Great plugin, thanks for it.

I fiond an little bug: even if the custom php.ini file for an user has as owner root:root the account owner can delete id using FTP or webfilemanager and place another php.ini on place of the old. This can cause security problens. You can see an discussion abourt this issue on: http://forums.cpanel.net/f5/register_globals-suexec-suphp-76084-p2.html - search for chattr and you find how to solve the problem.

I changed an little your plugin to add the use of chattr to some level of additional security - also, search for chattr in the source code and you can find the changes I made. Please, review the attached file with your plugin changed and say what you think about the changes.

Also, to your plugin work with WHM 11.32.2 build 8 I needed to change /opt/suphp/etc/suphp.conf in the following section from:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
application/x-httpd-php=/usr/local/lib/
application/x-httpd-php4=/usr/local/php4/lib/
application/x-httpd-php5=/usr/local/lib/

To:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/

View attachment addon_phpinimgr.zip

Regards,

 

[Lestat]

Whitedog,

Great plugin, thanks for it.

I fiond an little bug: even if the custom php.ini file for an user has as owner root:root the account owner can delete id using FTP or webfilemanager and place another php.ini on place of the old. This can cause security problens. You can see an discussion abourt this issue on: http://forums.cpanel.net/f5/register_globals-suexec-suphp-76084-p2.html - search for chattr and you find how to solve the problem.

I changed an little your plugin to add the use of chattr to some level of additional security - also, search for chattr in the source code and you can find the changes I made. Please, review the attached file with your plugin changed and say what you think about the changes.

Also, to your plugin work with WHM 11.32.2 build 8 I needed to change /opt/suphp/etc/suphp.conf in the following section from:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
application/x-httpd-php=/usr/local/lib/
application/x-httpd-php4=/usr/local/php4/lib/
application/x-httpd-php5=/usr/local/lib/

To:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/

View attachment 9942

Regards,

Works great.. thank you to everyone... PHP5.3 cpanel 11.32 working...

 

[webinfomatrix]

the php values as per their wish.

This may increase security concerns on the server and hence to protect/secure php.ini in SuPHP enabled servers, force every user to use a common php.ini file.

This can be achieved by defining the path of server side php.ini file using suPHP_ConfigPath directive. To force users to use server side php.ini file, create suphp_configpath.conf

# pico /usr/local/apache/conf/userdata/suphp_configpath.conf

and add the following lines

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /usr/local/lib/
</Location>
</IfModule>

Once done, save the file and rebuild the Apache configuration so it picks up the changes.

# /usr/local/cpanel/bin/apache_conf_distiller --update --main
# /usr/local/cpanel/bin/build_apache_conf

To verify the include files, execute:

# /scripts/verify_vhost_includes

It will display the path of the .conf file you created. Restart the Apache service once

# /scripts/restartsrv httpd

This will ensure all the users use the server side php configuration file. If you wish to keep the php.ini elsewhere, just change the value of “suPHP_ConfigPath” and follow the above steps.

 

[WhiteDog]

Whitedog,

Great plugin, thanks for it.

I fiond an little bug: even if the custom php.ini file for an user has as owner root:root the account owner can delete id using FTP or webfilemanager and place another php.ini on place of the old. This can cause security problens. You can see an discussion abourt this issue on: http://forums.cpanel.net/f5/register_globals-suexec-suphp-76084-p2.html - search for chattr and you find how to solve the problem.

I changed an little your plugin to add the use of chattr to some level of additional security - also, search for chattr in the source code and you can find the changes I made. Please, review the attached file with your plugin changed and say what you think about the changes.

Also, to your plugin work with WHM 11.32.2 build 8 I needed to change /opt/suphp/etc/suphp.conf in the following section from:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
application/x-httpd-php=/usr/local/lib/
application/x-httpd-php4=/usr/local/php4/lib/
application/x-httpd-php5=/usr/local/lib/

To:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/

View attachment 9942

Regards,

Dear h100,

Sorry for not getting back to you sooner, I was on holiday.
Thank you for pointing these out. I will implement these changes in the net version in the following days.

I already had those 3 lines commented in my config (file not changed since 2011) so i don't think it is a new requirement. Perhaps the default has changed over time? I will add some sort of self-check to verify these and other prerequisites to the script.

BTW: anyone have the need to store the php.ini file in a custom location (e.g. /var/phpinimgr/<username>/php.ini)? This would improve on security but as a downside these files would not be included in a backup.

 

[WhiteDog]

Hello all,

A new version of phpinimgr is now available (0.6).
You can grab it at Index of /whm/phpinimgr

The changes are:
- Folders under /usr/local/apache/conf/userdata/ are now created recursively
- Added sanity check to see if suphp.conf exists
- Added sanity check for uncommented entries in suphp.conf under section [phprc_paths]
- php.ini files are now correctly set as root or <user> on creation, saves and updates.
- php.ini files are protected by user deletion with chattr (thanks h100!)
- Added X to account list which undoes all modifications

This should cover most of the remarks, fix some bugs and add new features