How to set upload_tmp_dir to a dynamic path in multiphp ini editor

[DevTeam9200]

Hi All,

Is there a way to set the php.ini for all users for upload_tmp_dir to a dynamic path. Example I want all users upload path to be set to /home/$username/public_html/tmp

This is the setting I found in WHM -> Multi php ini editor

; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
; PHP: Description of core php.ini directives - Manual
; upload_tmp_dir =


How ever I cannot seem to figure out how to use /home/$username/public_html/tmp in this ini editor.

OR EVEN better can some on please advise if it is possible for the user to the set the upload_tmp_dir directory in there own cpanel account? is this possible. (it is not a public server but privately managed with just one site on it).


OS : CentOS v7.9.2009 STANDARD kvm
cPanel Version : 106.0.9

Running EA and Engintron
Also PHP-FPM is in use and turned on.

Thanks

 

[timkah]

You can uncomment upload_tmp_dir and set a path for it
upload_tmp_dir = /home/user/tmp

 

[DevTeam9200]

You can uncomment upload_tmp_dir and set a path for it
upload_tmp_dir = /home/user/tmp

Hi Timkah,

I am aware of that but what is the "variable" to place "user" ie if I use /home/user/tmp then it "user" be automatiacally replaced with example fred1com

let say cpanel account is fred1com and i use the above will it automatically replace /home/user/tmp with /home/fred1com/tmp ?

Please see my php.info not showing what I would expect /home/fred1com/tmp it is showing /home/user/tmp

what is the "variable" for user is my question I really guess I am asking? Is it %username% $username etc



To clarify even further is I want to edit mutli php editor in WHM backend and edit this setting that applies to "ALL" users on that server.

Or alternatively I guess if I must set this setting "per user" where do I edit this setting for only just 1 single user account.

 

[rbairwell]

How ever I cannot seem to figure out how to use /home/$username/public_html/tmp in this ini editor.

Do not put the tmp directory in the public webroot - it may contain data which can be used to breach the site (such as some session information, temporary uploads - someone could upload a malicious file and then try and execute it in that folder by calling it via the web). Go for /home/$username/tmp/ if you must - but be aware that by default tmpwatch doesn't automatically remove empty files from there (it does /tmp and /var/tmp (and a few others) - so user directories may get full with temporary files.

OR EVEN better can some on please advise if it is possible for the user to the set the upload_tmp_dir directory in there own cpanel account? is this possible. (it is not a public server but privately managed with just one site on it).

Yes, this can be done under cPanel->Software->MultiPHP INI Editor->Editor Mode.

How ever I cannot seem to figure out how to use /home/$username/public_html/tmp in this ini editor.

There's not an easy way that I know of (off the top of my head) to do this, but there may be a workaround (I haven't tested this!):

* Create a file such as /etc/php_tmp_folder_rewrite.php
* In it have the code:

<?php
$tmp_dir='/home/'.get_current_user().'/tmp/';
if (!empty($tmp_dir) && is_dir($tmp_dir) && is_writable($tmp_dir)) {
  ini_set('upload_tmp_dir',$tmp_dir);
}

(alternatively, setting to:
* $tmp_dir = dirname($_SERVER['DOCUMENT_ROOT'] ).'/tmp/'; or
* $tmp_dir = posix_getpwuid(getmyuid())['dir'].'/tmp/'; or
* $tmp_dir = posix_getpwnam(get_current_user())['dir'].'/tmp/'; or
* $tmp_dir = getenv('HOME').'/tmp/'; (see this StackOverflow answer for a full function)
may be better: like I said, untested!)

and then in the WHM->Software->MultiPHP INI Editor->Editor Mode change auto_prepend_file = to auto_prepend_file = /etc/php_tmp_folder_rewrite.php. Once PHP-FPM/Apache is restarted, every PHP page request should then load that file in (before everything else, but after the user's .ini files) and change the temporary directory.

Alternatively, you may find editing the Apache template files a possibility .

 

[DevTeam9200]

Do not put the tmp directory in the public webroot - it may contain data which can be used to breach the site (such as some session information, temporary uploads - someone could upload a malicious file and then try and execute it in that folder by calling it via the web). Go for /home/$username/tmp/ if you must - but be aware that by default tmpwatch doesn't automatically remove empty files from there (it does /tmp and /var/tmp (and a few others) - so user directories may get full with temporary files.

Yes, this can be done under cPanel->Software->MultiPHP INI Editor->Editor Mode.

Thanks for the advise and direction. One quick last confirmation that setting it as /tmp as per below should be fine from a security perspective and have no issues? Would you advise there is a security concern or server performance issue with the below at all? If so what ?





I believe reconfiguring the server entirely for this is not viable. client will need to rewrite their application to work and capture the uploads from the /tmp directory instead as it appears to be the more practical and secure standard method.

Thanks so much for assistance! Great stuff

 

[rbairwell]

. One quick last confirmation that setting it as /tmp as per below should be fine from a security perspective and have no issues?

That's fine. That is the standard server root temporary directory and should be reasonably secure from third parties (it's possible that other users on the same server could access the files, but they should be automatically created with your userid which should allow protection).

I believe reconfiguring the server entirely for this is not viable. client will need to rewrite their application to work and capture the uploads from the /tmp directory instead as it appears to be the more practical and secure standard method.

If it is just for the one user, they can add the upload_tmp_dir setting via their cPanel->Software-MultiPHP INI Editor and set it to /home/<theirusername>/tmp if they wanted to.

If they are using the standard PHP upload method for handling files, that will use upload_tmp_dir automatically (and if they need other temporary files, then sys_get_temp_dir and tmpfile should be their friends). The only reasons I can think of for changing the upload_tmp_dir is additional security (to prevent other users on the same server accessing the files: but standard Linux user security should take care of that) or if the files are too small for the /tmp directory - in which case, I would more suggest to enlarge the tmp folder as otherwise you'll hit other issues in due course.