How can I protect php.ini with suPHP?

And another upgrade... now at version 0.8

Install Instructions

Code:

cd /usr/local/cpanel/whostmgr/docroot/cgi
wget -O addon_phpinimgr.php http://download.how2.be/whm/phpinimgr/addon_phpinimgr.php.txt
chmod 700 addon_phpinimgr.php

The changes are:
- Added options to keep exisitng php.ini files when the solution is (re)enabled / disabled
- Empty <user> folders under /usr/local/apache/conf/userdata/ are now removed as well
- Added indicator (V) which checks for suphp_configpath.conf files
- Improved layout / added more information
- AUTO UPDATE BUTTON WHEN NEW VERSION IS AVAILABLE

I discovered that the entries are not maintained when transferring an account to another server. This updates gives you some insight on which accounts actually have it enabled and allows you to (re)enable it without overwriting the php.ini file already in place.

Also updated the layout and added more descriptions and information so this plugin can be better understood

Please leave a message if you use / like this plugin.

 

Trying to use this but when I click a username all I get is this:

Those settings are already uncommented.

 

Looks like they have to be commented instead. Works when I comment them out.

 

You are correct, that's a typo I updated the instructions in the next version.
Feature requests are still welcome!

 

One request would be to make the script automatically do this:

At first it didn't work as expected but after going through the previous steps in the thread I realized this file wasn't created by the script itself and I had to create it manually.

PS. Thanks a lot this script is very easy to use, I would easily pay a small fee for a script like this.

 

I hink you are referring to the info posted by webinfomatrix.

The script creates a suphp_configpath.conf file here: /usr/local/apache/conf/userdata/std/2/<username>/
This is what (for me) allows <username> to use a custom php.ini file

The code you posted above is (if i'm correct?) to force / lock a certain php.ini for ALL users.
As webinfomatrix says: This will ensure all the users use the server side php configuration file. If you wish to keep the php.ini elsewhere, just change the value of “suPHP_ConfigPath” and follow the above steps.
Do you want this added so users cannot create their own php.ini copies? (in combination with my solution)

For the record: on my setup, just placing a php.ini file in the users root folder does not work.It works only when I create suphp_configpath.conf in /usr/local/apache/conf/userdata/std/2/<username>/

 

Oh I see, but I thought by commenting out:

Would allow anyone to use a custom php.ini unless:

Was in place?

 

This command work fine to all websites protect user php.ini
add code automatic Include "/usr/local/apache/conf/userdata/*.conf" to httpd.conf

but problem, new user can't add this code automatic to httpd.conf
new user add this code automatic:

Options -ExecCGI -Includes
RemoveHandler cgi-script .cgi .pl .plx .ppl .perl

 

Hi all and thank you WhiteDog for the plugin
Probably it is just me, but I have a bit of a hard time understanding the steps I need to take.

What I want to do is to restrict all accounts from creating/using custom php.ini and then add custom php.ini for a limited number of accounts using your plugin. I am running php 5.3.16 / suphp / centOS 6.3

Having read this thread a copule of times, plus the info on the plugins homepage, plus the thread about restricing usage of php.ini (http://forums.cpanel.net/f185/methods-increase-security-suphp-restricting-who-can-use-php-ini-files-167186.html) I still can't get it.

Would appreciate if I could get some help in creating a simple step by step of things to do in order to get this to work.
When I read the threads I understand it as it is recommended to use the "old way" to restrict usage and non of the two php 5.3 alternatives, but maybe I have misunderstood.

So from what I understand, the only thing I need to do is to
* install the plugin
* use the plugin to add php.ini to the accounts that should have custom php.ini settings

Will this really restrict all others from adding their own php.ini?

From what I can see, the directories

/usr/local/apache/conf/userdata
/usr/local/apache/conf/userdata/ssl
/usr/local/apache/conf/userdata/ssl/2
/usr/local/apache/conf/userdata/std
/usr/local/apache/conf/userdata/std/2
/usr/local/apache/conf/userdata/std/2/accountname/
​

are created

In the directory

/usr/local/apache/conf/userdata/std/2/accountname/ ​

the file suphp_configpath.conf is created with the following content:

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /home/accountname
</Location>
</IfModule>​

So it all looks good, but it seems something is missing?

As I understand the ability to create a custom php.ini for an account is not yet stopped, so how do I do that?

Should I create a file called:

suphp_config.conf​

with the following content:

<IfModule mod_suphp.c>
<Location />
suPHP_ConfigPath /usr/local/lib
</Location>
</IfModule>​

and add that to folder:

/usr/local/apache/conf/userdata/​

?

Or do I have to do anything else? Such as editing the /opt/suphp/etc/suphp.conf file

Any advice would be appreciated.

// kjg

 

There is another easy way to do it with apache templates.

 

I found an issue:

PHP:

if (check_suphpconf() == false) { die("Uncomment all entries starting with 'application/x-httpd-php' in $suphpconf under section [phprc_paths]. This action would do nothing."); }

function check_suphpconf() {
    // returns true if OK
    GLOBAL $suphpconf;

    $ini_array = parse_ini($suphpconf);
    foreach ($ini_array as $key => $section) {
        if ($key == "phprc_paths") {
            if (is_array($section)) {
                foreach ($section as $key => $value) {
                    if ($key == "application/x-httpd-php") { return false; }
                    if ($key == "application/x-httpd-php4") { return false; }
                    if ($key == "application/x-httpd-php5") { return false; }
                }
            }
        }
    }
    return true;
}

Your function isn't correct. If the lines are uncommented, the keys will exist and your function will return false when it should return true. Your function will never return the correct results.

 

Hi tsiedsma. you are 100% correct. The problem here howevr is not in the code, it's in the documentation These lines should be commented, not uncommented...

 

I thought they needed to be uncommented to restrict the user from adding their own php.ini and the .htaccess suPHP_ConfigPath directive.

Code:

[phprc_paths]
;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.
application/x-httpd-php=/usr/local/lib/
application/x-httpd-php4=/usr/local/php4/lib/
application/x-httpd-php5=/usr/local/lib/

 

I have commented out those lines, then I added suPHP_ConfigPath /home/user/public_html/php.ini to a .htaccess file.
I copied the system php.ini and made some changes. I then ran phpinfo and can see my changes and the php.ini file is loaded from the new location.

Your script only appears to make it easy to modify a php.ini for users but does not prevent users from creating their own.