Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How can I protect php.ini with suPHP?

Discussion in 'Security' started by dansgalaxy, Aug 12, 2009.

  1. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    137
    Likes Received:
    3
    Trophy Points:
    68
    And another upgrade... now at version 0.8

    Install Instructions
    Code:
    cd /usr/local/cpanel/whostmgr/docroot/cgi
    wget -O addon_phpinimgr.php http://download.how2.be/whm/phpinimgr/addon_phpinimgr.php.txt
    chmod 700 addon_phpinimgr.php
    The changes are:
    - Added options to keep exisitng php.ini files when the solution is (re)enabled / disabled
    - Empty <user> folders under /usr/local/apache/conf/userdata/ are now removed as well
    - Added indicator (V) which checks for suphp_configpath.conf files
    - Improved layout / added more information
    - AUTO UPDATE BUTTON WHEN NEW VERSION IS AVAILABLE :)

    I discovered that the entries are not maintained when transferring an account to another server. This updates gives you some insight on which accounts actually have it enabled and allows you to (re)enable it without overwriting the php.ini file already in place.

    Also updated the layout and added more descriptions and information so this plugin can be better understood :)

    Please leave a message if you use / like this plugin.
     
    #41 WhiteDog, Jun 1, 2012
    Last edited: Jun 1, 2012
  2. Brandonm

    Brandonm Active Member

    Joined:
    Aug 31, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    156
    Trying to use this but when I click a username all I get is this:

    Those settings are already uncommented.
     
  3. Brandonm

    Brandonm Active Member

    Joined:
    Aug 31, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    156
    Looks like they have to be commented instead. Works when I comment them out.
     
  4. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    137
    Likes Received:
    3
    Trophy Points:
    68
    You are correct, that's a typo :) I updated the instructions in the next version.
    Feature requests are still welcome!
     
  5. Brandonm

    Brandonm Active Member

    Joined:
    Aug 31, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    156
    One request would be to make the script automatically do this:

    At first it didn't work as expected but after going through the previous steps in the thread I realized this file wasn't created by the script itself and I had to create it manually.

    PS. Thanks a lot this script is very easy to use, I would easily pay a small fee for a script like this. :)
     
  6. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    137
    Likes Received:
    3
    Trophy Points:
    68
    I hink you are referring to the info posted by webinfomatrix.

    The script creates a suphp_configpath.conf file here: /usr/local/apache/conf/userdata/std/2/<username>/
    This is what (for me) allows <username> to use a custom php.ini file

    The code you posted above is (if i'm correct?) to force / lock a certain php.ini for ALL users.
    As webinfomatrix says: This will ensure all the users use the server side php configuration file. If you wish to keep the php.ini elsewhere, just change the value of “suPHP_ConfigPath” and follow the above steps.
    Do you want this added so users cannot create their own php.ini copies? (in combination with my solution)

    For the record: on my setup, just placing a php.ini file in the users root folder does not work.It works only when I create suphp_configpath.conf in /usr/local/apache/conf/userdata/std/2/<username>/
     
  7. Brandonm

    Brandonm Active Member

    Joined:
    Aug 31, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    156
    Oh I see, but I thought by commenting out:

    Would allow anyone to use a custom php.ini unless:

    Was in place?
     
  8. yanayun

    yanayun Member

    Joined:
    May 14, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    151
    This command work fine to all websites protect user php.ini
    add code automatic Include "/usr/local/apache/conf/userdata/*.conf" to httpd.conf

    but problem, new user can't add this code automatic to httpd.conf
    new user add this code automatic:

    Options -ExecCGI -Includes
    RemoveHandler cgi-script .cgi .pl .plx .ppl .perl
     
  9. kjg

    kjg Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    158
    Likes Received:
    3
    Trophy Points:
    168
    Hi all and thank you WhiteDog for the plugin
    Probably it is just me, but I have a bit of a hard time understanding the steps I need to take.

    What I want to do is to restrict all accounts from creating/using custom php.ini and then add custom php.ini for a limited number of accounts using your plugin. I am running php 5.3.16 / suphp / centOS 6.3

    Having read this thread a copule of times, plus the info on the plugins homepage, plus the thread about restricing usage of php.ini (http://forums.cpanel.net/f185/methods-increase-security-suphp-restricting-who-can-use-php-ini-files-167186.html) I still can't get it.

    Would appreciate if I could get some help in creating a simple step by step of things to do in order to get this to work.
    When I read the threads I understand it as it is recommended to use the "old way" to restrict usage and non of the two php 5.3 alternatives, but maybe I have misunderstood.

    So from what I understand, the only thing I need to do is to
    * install the plugin
    * use the plugin to add php.ini to the accounts that should have custom php.ini settings

    Will this really restrict all others from adding their own php.ini?

    From what I can see, the directories
    /usr/local/apache/conf/userdata
    /usr/local/apache/conf/userdata/ssl
    /usr/local/apache/conf/userdata/ssl/2
    /usr/local/apache/conf/userdata/std
    /usr/local/apache/conf/userdata/std/2
    /usr/local/apache/conf/userdata/std/2/accountname/
    are created

    In the directory
    /usr/local/apache/conf/userdata/std/2/accountname/ ​
    the file suphp_configpath.conf is created with the following content:
    <IfModule mod_suphp.c>
    <Location />
    suPHP_ConfigPath /home/accountname
    </Location>
    </IfModule>​

    So it all looks good, but it seems something is missing?

    As I understand the ability to create a custom php.ini for an account is not yet stopped, so how do I do that?

    Should I create a file called:
    suphp_config.conf​
    with the following content:
    <IfModule mod_suphp.c>
    <Location />
    suPHP_ConfigPath /usr/local/lib
    </Location>
    </IfModule>​
    and add that to folder:
    /usr/local/apache/conf/userdata/​
    ?

    Or do I have to do anything else? Such as editing the /opt/suphp/etc/suphp.conf file

    Any advice would be appreciated.

    // kjg
     
    #49 kjg, Sep 15, 2012
    Last edited: Sep 15, 2012
  10. borgia

    borgia Member

    Joined:
    Jun 27, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    There is another easy way to do it with apache templates.
     
    #50 borgia, Sep 15, 2012
    Last edited: Sep 15, 2012
  11. tsiedsma

    tsiedsma Active Member

    Joined:
    Nov 1, 2006
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    US
    cPanel Access Level:
    Root Administrator
    I found an issue:
    PHP:
    if (check_suphpconf() == false) { die("Uncomment all entries starting with 'application/x-httpd-php' in $suphpconf under section [phprc_paths]. This action would do nothing."); }

    function 
    check_suphpconf() {
        
    // returns true if OK
        
    GLOBAL $suphpconf;

        
    $ini_array parse_ini($suphpconf);
        foreach (
    $ini_array as $key => $section) {
            if (
    $key == "phprc_paths") {
                if (
    is_array($section)) {
                    foreach (
    $section as $key => $value) {
                        if (
    $key == "application/x-httpd-php") { return false; }
                        if (
    $key == "application/x-httpd-php4") { return false; }
                        if (
    $key == "application/x-httpd-php5") { return false; }
                    }
                }
            }
        }
        return 
    true;
    }
    Your function isn't correct. If the lines are uncommented, the keys will exist and your function will return false when it should return true. Your function will never return the correct results.
     
  12. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    137
    Likes Received:
    3
    Trophy Points:
    68
    Hi tsiedsma. you are 100% correct. The problem here howevr is not in the code, it's in the documentation :) These lines should be commented, not uncommented...
     
  13. tsiedsma

    tsiedsma Active Member

    Joined:
    Nov 1, 2006
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    US
    cPanel Access Level:
    Root Administrator
    I thought they needed to be uncommented to restrict the user from adding their own php.ini and the .htaccess suPHP_ConfigPath directive.
    Code:
    [phprc_paths]
    ;Uncommenting these will force all requests to that handler to use the php.ini
    ;in the specified directory regardless of suPHP_ConfigPath settings.
    application/x-httpd-php=/usr/local/lib/
    application/x-httpd-php4=/usr/local/php4/lib/
    application/x-httpd-php5=/usr/local/lib/
    
     
  14. tsiedsma

    tsiedsma Active Member

    Joined:
    Nov 1, 2006
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    US
    cPanel Access Level:
    Root Administrator
    I have commented out those lines, then I added suPHP_ConfigPath /home/user/public_html/php.ini to a .htaccess file.
    I copied the system php.ini and made some changes. I then ran phpinfo and can see my changes and the php.ini file is loaded from the new location.

    Your script only appears to make it easy to modify a php.ini for users but does not prevent users from creating their own.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice