The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Limit php to users home dir

Discussion in 'General Discussion' started by sehh, Oct 24, 2007.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    How can i force php to only access files within the users home directory?

    I'm using apache 1.3.x and php v4 and v5 together in cPanel v11 STABLE.

    I want this feature so that a user can't install a php file manager and browse the system remotely.

    Thank you.
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    You may want to change the setting for open_basedir in php.ini for both PHP 4 and 5 to try to curb the ability to browse folders outside /home/user.

    Additionally, if security is a concern, you may wish to run SuPHP (now supported in EA3, simply select it on the "Advanced Configuration" screen). You may also consider running Suhosin.
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    First, let me suggest that you run suPHP if you do not already.

    Second, I believe the open_basedir directive is what prevents users from accessing outside of their web root, but I dont understand it fully and there may still be ways around that.

    Third, when you build apache, checkmark:

    Fileprotect (in EasyApache3)
    Prevent Users from reading other webroots (in EA2/EA1)

    Mike
     
  4. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Thank you both for your answers, i believe my system is using suexec, as i see the php scripts in the process list starting with "/usr/local/apache/bin/suexec", but i don't know if suexec has its own configuration.

    So based on the fact that i'm running suexec, is "open_basedir" enough to stop php scripts from browsing around?

    PS:
    i'd like to avoid running EasyApache to recompile it, since the current apache binary is running fine without problems for a year or so.
     
  5. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    hmm google pointed me to a page in WHM that does just that:

    under "Security Center", select option "Tweak php open_basedir Security"

    running suexec along with open_basedir tweak, is that enough?
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    You can never be secure enough. Do everything you can to secure it. You shouldn't look to Cpanel or anybody else to give you a 'thumbs up', seriously. Nobody else can vouch for the security of your system or guarantee that somehow, some way, somebody can't gain access to information across sites, directories, etc.

    Suexec/SuPHP, open_basedir, mod_security, making sure Apache is compiled with options mentioned in previous posts, will go a long way.

    Add to that disabling ALL shell access, possibly running Suhosin if you are able to do it without breaking all of your sites / module functionality.

    Mike
     
  7. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    thank you for your suggestions

    i don't want to make any major changes, because next week stage 2 will hit the door for STABLE release and i don't want to break anything. Once stage 2 is complete and Apache 2.x is running, i'll go for a custom recompile and remove anything i don't need (like frontpage extensions).
     
Loading...

Share This Page