How to configure SuPHP to use only the MultiPHP INI file, not user inis, and open_basedir?

Hi cPanel team,

I wrote out some steps in the past on how to configure SuPHP to use only the MultiPHP INI file and to set the open_basedir for users on the system. However, I noticed that phpinfo() doesn't seem to mention the php ini in /usr/local/lib which I'm apparently "forcing the handler to use" so that's obviously not working.

In addition to that not working, I noticed that php ini isn't the one in MultiPHP INI anyway so that's not too troubling but I do want to "enforce" all accounts to use the MultiPHP INI and not have the ability to use *anything* else, even user inis.

Can someone tell me how to configure SuPHP to only use the MultiPHP INI file and none others, especially not user inis per account?

I'm also very confused whether I've configured the open_basedir entries correctly too. Is that accurate or have i done a bad job of that? (is there a better way?)

(Steps I've been using up to now that don't work)
Configure SuPHP and open_basedir Protection

1. Go to Software > MultiPHP Manager > PHP Handlers. Select Edit on ea-php70, choose suphp and click Apply.
   
2. Due to SuPHP allowing individual php.ini files, restrict all accounts to the global php.ini file. Uncomment the following lines in /opt/suphp/etc/suphp.conf
   [phprc_paths]
   ;Uncommenting these will force all requests to that handler to use the php.ini
   ;in the specified directory regardless of suPHP_ConfigPath settings.
   application/x-httpd-php=/usr/local/lib/
   ;application/x-httpd-php4=/usr/local/php4/lib/
   ;application/x-httpd-php5=/usr/local/lib/
3. Go to Software > MultiPHP INI Editor. Change to Editor Mode tab and select ea-php70. Add the following to the bottom of the config.
   [PATH=/home/myacc1]
   open_basedir = "/home/myacc1:/usr/lib/php:/usr/local/lib/php:/tmp"
   [PATH=/home/myacc2]
   open_basedir = "/home/myacc2:/usr/lib/php:/usr/local/lib/php:/tmp"
   [PATH=/home/myacc3]
   open_basedir = "/home/myacc3:/usr/lib/php:/usr/local/lib/php:/tmp"
   [PATH=/home/myacc4]
   open_basedir = "/home/myacc4:/usr/lib/php:/usr/local/lib/php:/tmp"
   
4. Comment out original open_basedir line.

 

To re-word my problem, I want to lock down SuPHP to use only the MultiPHP INI file and not allow individual INI files (including .user.ini). Is this possible?

Bonus points if you can give me a real world example why I shouldn't lock it down :P

 

Hi @cPanelMichael,

I was merely hoping to lock it down to avoid potential for exploitation, but nothing in particular. With that said, you've talked me out of it haha. I won't proceed with that at all, I will leave it as it were out-of-the-box

With the INI stuff out of the way now, would you know how I can set the open_basedir for each user? (and where?). I'm using SuPHP as handler so the tweak in WHM doesn't do the trick.

Any guidance would, as always, be super appreciated! Thanks

 

Hi @cPanelMichael

Thanks for the response.

I wonder, based on what I read in the thread you cited, would this be correct for what to set open_basedir to then?

open_basedir = "/home/myacc1/public_html:/usr/lib/php:/usr/local/lib/php:/var/cpanel/php/sessions"

Note: I took /tmp out because you stated it was no longer required, and that sessions folder was added because it appears that it is required now according to the thread.

Can you tell me if that looks like a suitable open_basedir to use in cPanel before I set it?

 

Hi @cPanelMichael

Sorry to be a pain, but what does the "open_basedir Tweak" set for DSO? Is it what you put above?

Wouldn't I just need to set the same open_basedir directive as what the tweak sets, but per account in cPanel fo suPHP?

 

Fantastic - Thanks cPanelMichael! I think I understand now

I've used your suggestion for my open_basedir directive for each cPanel, but with the addition of the share/pear directory as per SOLVED - Something went wrong while saving this configuration: Validate class not found from basename to overcome an include_path expectation so that Magento 2 works.

This is what I used:
open_basedir = "/home/myacc1:/opt/cpanel/ea-php70/root/usr/bin/php:/usr/local/bin/ea-php70:/usr/bin/ea-php70:/var/cpanel/php/sessions/ea-php70:/opt/cpanel/ea-php70/root/usr/share/pear"

 

Hi @cPanelMichael

Looks like I celebrated too soon! My gut made me wonder if it was actually taking effect so I checked in phpinfo and its set to 'no value' in Local and Master value. Uh oh

Would you know why that might be?

 

Hi @cPanelMichael,

Silly me, I was choosing "Home Directory" instead of "domainname.com" in the cPanel > MultiPHP INI Editor > Editor Mode and editing that. It clearly states not to edit it, but I totally didn't notice haha.

Home Directory modifies /home/username/php.ini
domainname.com modifies /home/username/public_html/php.ini

Works great now I'm editing the right file. Thanks Michael!

 

Jumped the gun again, darn it! Just realised that doing the same in the domain that uses PHP-FPM doesn't show the open_basedir in phpinfo that I just set in cPanel in the same way as the SuPHP domain.

I just changed domain from PHP-FPM to No and the open_basedir shows the value from /home/username/public_html/php.ini that I set via cPanel > MultiPHP INI Editor, but changing it back to Yes (to use PHP-FPM) ignore that file it seems?

Thoughts on that, Mike?
Now SuPHP has been answered, how to set open_basedir for PHP-FPM now? >_>

Also, are you sure that /tmp shouldn't be in the open_basedir too?

 

Thanks @cPanelMichael

Just before I do that though, will cPanel/WHM updates undo this at any point?

Is there a plan for PHP-FPM settings to be changed within WHM? Is a shame that it looked like the INI editor was the right way to set PHP directives, it would be good if it was clear that the INI editor is of no use to domains using PHP-FPM.

 

Thanks @cPanelMichael

I've followed the general instructions and I'm happy with the result now. It's not optimal right now but one day I think it could be once the MultiPHP INI Editor changes affect PHP-FPM config too (and not get overridden) which you said an internal case for so that's awesome.

Just in case anyone has been following this thread, it got a bit confusing in the middle there because I asked how to configure SuPHP when really it was PHP-FPM I was trying to configure (sorry about that) but nonetheless here is what I did:

1. Followed the steps in the thread I was linked
2. Created and edited the PHP-FPM global YAML config file at /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml, adding:
   
   Code:

   php_value_open_basedir: { name: 'php_value[open_basedir]', value: "[% documentroot %]:/opt/cpanel/[% ea_php_version %]/root/usr/bin/php:/usr/local/bin/[% ea_php_version %]:/usr/bin/[% ea_php_version %]:/var/cpanel/php/sessions/[% ea_php_version %]:/opt/cpanel/[% ea_php_version %]/root/usr/share/pear" }

3. Checked phpinfo and the open_basedir directive has been reflected, with correct PHP version.

Thanks for the help, Mike. I don't think I would've realised the MultiPHP INI Editor wasn't supposed to config PHP-FPM without you enlightening me. I just thought my installation was broken.

Appreciate the help. I'm sorted now