How can I protect php.ini with suPHP?

[WhiteDog]

And another upgrade... now at version 0.8

Install Instructions

cd /usr/local/cpanel/whostmgr/docroot/cgi
wget -O addon_phpinimgr.php http://download.how2.be/whm/phpinimgr/addon_phpinimgr.php.txt
chmod 700 addon_phpinimgr.php

The changes are:
- Added options to keep exisitng php.ini files when the solution is (re)enabled / disabled
- Empty <user> folders under /usr/local/apache/conf/userdata/ are now removed as well
- Added indicator (V) which checks for suphp_configpath.conf files
- Improved layout / added more information
- AUTO UPDATE BUTTON WHEN NEW VERSION IS AVAILABLE

I discovered that the entries are not maintained when transferring an account to another server. This updates gives you some insight on which accounts actually have it enabled and allows you to (re)enable it without overwriting the php.ini file already in place.

Also updated the layout and added more descriptions and information so this plugin can be better understood

Please leave a message if you use / like this plugin.

 

[Brandonm]

Trying to use this but when I click a username all I get is this:

Uncomment all entries starting with 'application/x-httpd-php' in /opt/suphp/etc/suphp.conf under section [phprc_paths]. This action would do nothing.

Those settings are already uncommented.

 

[Brandonm]

Looks like they have to be commented instead. Works when I comment them out.

 

[WhiteDog]

Looks like they have to be commented instead. Works when I comment them out.

You are correct, that's a typo I updated the instructions in the next version.
Feature requests are still welcome!

 

[Brandonm]

You are correct, that's a typo I updated the instructions in the next version.
Feature requests are still welcome!

One request would be to make the script automatically do this:

To force users to use server side php.ini file, create suphp_configpath.conf

# pico /usr/local/apache/conf/userdata/suphp_configpath.conf

and add the following lines

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /usr/local/lib/
</Location>
</IfModule>

At first it didn't work as expected but after going through the previous steps in the thread I realized this file wasn't created by the script itself and I had to create it manually.

PS. Thanks a lot this script is very easy to use, I would easily pay a small fee for a script like this.

 

[WhiteDog]

One request would be to make the script automatically do this:



At first it didn't work as expected but after going through the previous steps in the thread I realized this file wasn't created by the script itself and I had to create it manually.

PS. Thanks a lot this script is very easy to use, I would easily pay a small fee for a script like this.

I hink you are referring to the info posted by webinfomatrix.

The script creates a suphp_configpath.conf file here: /usr/local/apache/conf/userdata/std/2/<username>/
This is what (for me) allows <username> to use a custom php.ini file

The code you posted above is (if i'm correct?) to force / lock a certain php.ini for ALL users.
As webinfomatrix says: This will ensure all the users use the server side php configuration file. If you wish to keep the php.ini elsewhere, just change the value of “suPHP_ConfigPath” and follow the above steps.
Do you want this added so users cannot create their own php.ini copies? (in combination with my solution)

For the record: on my setup, just placing a php.ini file in the users root folder does not work.It works only when I create suphp_configpath.conf in /usr/local/apache/conf/userdata/std/2/<username>/

 

[Brandonm]

Oh I see, but I thought by commenting out:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/

Would allow anyone to use a custom php.ini unless:

# pico /usr/local/apache/conf/userdata/suphp_configpath.conf

and add the following lines

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /usr/local/lib/
</Location>
</IfModule>

Was in place?

 

[yanayun]

the php values as per their wish.

This may increase security concerns on the server and hence to protect/secure php.ini in SuPHP enabled servers, force every user to use a common php.ini file.

This can be achieved by defining the path of server side php.ini file using suPHP_ConfigPath directive. To force users to use server side php.ini file, create suphp_configpath.conf

# pico /usr/local/apache/conf/userdata/suphp_configpath.conf

and add the following lines

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /usr/local/lib/
</Location>
</IfModule>

Once done, save the file and rebuild the Apache configuration so it picks up the changes.

# /usr/local/cpanel/bin/apache_conf_distiller --update --main
# /usr/local/cpanel/bin/build_apache_conf

To verify the include files, execute:

# /scripts/verify_vhost_includes

It will display the path of the .conf file you created. Restart the Apache service once

# /scripts/restartsrv httpd

This will ensure all the users use the server side php configuration file. If you wish to keep the php.ini elsewhere, just change the value of “suPHP_ConfigPath” and follow the above steps.

This command work fine to all websites protect user php.ini
add code automatic Include "/usr/local/apache/conf/userdata/*.conf" to httpd.conf

but problem, new user can't add this code automatic to httpd.conf
new user add this code automatic:

Options -ExecCGI -Includes
RemoveHandler cgi-script .cgi .pl .plx .ppl .perl

 

[kjg]

Hi all and thank you WhiteDog for the plugin
Probably it is just me, but I have a bit of a hard time understanding the steps I need to take.

What I want to do is to restrict all accounts from creating/using custom php.ini and then add custom php.ini for a limited number of accounts using your plugin. I am running php 5.3.16 / suphp / centOS 6.3

Having read this thread a copule of times, plus the info on the plugins homepage, plus the thread about restricing usage of php.ini (http://forums.cpanel.net/f185/metho...ricting-who-can-use-php-ini-files-167186.html) I still can't get it.

Would appreciate if I could get some help in creating a simple step by step of things to do in order to get this to work.
When I read the threads I understand it as it is recommended to use the "old way" to restrict usage and non of the two php 5.3 alternatives, but maybe I have misunderstood.

So from what I understand, the only thing I need to do is to
* install the plugin
* use the plugin to add php.ini to the accounts that should have custom php.ini settings

Will this really restrict all others from adding their own php.ini?

From what I can see, the directories

/usr/local/apache/conf/userdata
/usr/local/apache/conf/userdata/ssl
/usr/local/apache/conf/userdata/ssl/2
/usr/local/apache/conf/userdata/std
/usr/local/apache/conf/userdata/std/2
/usr/local/apache/conf/userdata/std/2/accountname/
​

are created

In the directory

/usr/local/apache/conf/userdata/std/2/accountname/​

the file suphp_configpath.conf is created with the following content:

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /home/accountname
</Location>
</IfModule>​

So it all looks good, but it seems something is missing?

As I understand the ability to create a custom php.ini for an account is not yet stopped, so how do I do that?

Should I create a file called:

suphp_config.conf​

with the following content:

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /usr/local/lib
</Location>
</IfModule>​

and add that to folder:

/usr/local/apache/conf/userdata/​

?

Or do I have to do anything else? Such as editing the /opt/suphp/etc/suphp.conf file

Any advice would be appreciated.

// kjg

 

[borgia]

There is another easy way to do it with apache templates.

 

[tsiedsma]

I made a rudimentary version of a WHM plugon today that:
- Lists all users and indicated if there is a php.ini in /home/<user> or /home/<user>/www
- Does the things described in "For installing a custom php.ini for a user" above when clicking on the username.

I will improve the script a bit more first and then offer it for free offcourse

Feature request welcome as well.

EDIT:
available here: PHP.ini Manager - How2 Solutions
See readme.txt for details, more comming soon

I found an issue:

if (check_suphpconf() == false) { die("Uncomment all entries starting with 'application/x-httpd-php' in $suphpconf under section [phprc_paths]. This action would do nothing."); }

function check_suphpconf() {
    // returns true if OK
    GLOBAL $suphpconf;

    $ini_array = parse_ini($suphpconf);
    foreach ($ini_array as $key => $section) {
        if ($key == "phprc_paths") {
            if (is_array($section)) {
                foreach ($section as $key => $value) {
                    if ($key == "application/x-httpd-php") { return false; }
                    if ($key == "application/x-httpd-php4") { return false; }
                    if ($key == "application/x-httpd-php5") { return false; }
                }
            }
        }
    }
    return true;
}

Your function isn't correct. If the lines are uncommented, the keys will exist and your function will return false when it should return true. Your function will never return the correct results.

 

[WhiteDog]

I found an issue:

if (check_suphpconf() == false) { die("Uncomment all entries starting with 'application/x-httpd-php' in $suphpconf under section [phprc_paths]. This action would do nothing."); }

function check_suphpconf() {
    // returns true if OK
    GLOBAL $suphpconf;

    $ini_array = parse_ini($suphpconf);
    foreach ($ini_array as $key => $section) {
        if ($key == "phprc_paths") {
            if (is_array($section)) {
                foreach ($section as $key => $value) {
                    if ($key == "application/x-httpd-php") { return false; }
                    if ($key == "application/x-httpd-php4") { return false; }
                    if ($key == "application/x-httpd-php5") { return false; }
                }
            }
        }
    }
    return true;
}

Your function isn't correct. If the lines are uncommented, the keys will exist and your function will return false when it should return true. Your function will never return the correct results.

Hi tsiedsma. you are 100% correct. The problem here howevr is not in the code, it's in the documentation These lines should be commented, not uncommented...

 

[tsiedsma]

Hi tsiedsma. you are 100% correct. The problem here howevr is not in the code, it's in the documentation These lines should be commented, not uncommented...

I thought they needed to be uncommented to restrict the user from adding their own php.ini and the .htaccess suPHP_ConfigPath directive.

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
application/x-httpd-php=/usr/local/lib/
application/x-httpd-php4=/usr/local/php4/lib/
application/x-httpd-php5=/usr/local/lib/

 

[tsiedsma]

I have commented out those lines, then I added suPHP_ConfigPath /home/user/public_html/php.ini to a .htaccess file.
I copied the system php.ini and made some changes. I then ran phpinfo and can see my changes and the php.ini file is loaded from the new location.

Your script only appears to make it easy to modify a php.ini for users but does not prevent users from creating their own.