The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Open Dir

Discussion in 'General Discussion' started by bojomojo, Jul 31, 2008.

  1. bojomojo

    bojomojo Member

    Joined:
    Jul 15, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    When the Open base dir is disabled its more secure rite?

    or shall i enable it?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. bojomojo

    bojomojo Member

    Joined:
    Jul 15, 2008
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    but i know someone who had a forums and had open dir enabled and some one was able to see the config.php file and got the password out of it

    what exactly does it do
     
  4. k.agashe

    k.agashe Member

    Joined:
    May 23, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    The open_basedir function defines the locations or paths from which PHP is allowed to access files using functions like fopen() and gzopen(). If a file is outside of the paths defined by open_basdir, PHP will refuse to open it.

    If the function is relaxed then using PHP functions the file would be accessible.
     
  5. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This setting in cPanel only works if PHP is running as a DSO Apache module. If you are using PHP as CGI or PHP with suPHP, then the open_basedir setting doesn't really do anything.
     
    MaraBlue likes this.
  6. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Just a note that if you use SuPHP, the PHP script will essentially be unable to read/write any files that user does not have permission to modify.
     
  7. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Ahhhhhhhhhhh...thank you for this. I just moved servers, and changing Apache from CGI to DSO was the only change, everything else I'm attempting to replicate. Only when I enable what I always thought were the standard security measures...mySQL can't connect, internal 500 errors, etc.

    That's why I love this business. Learn something new every day :)
     
  8. johny_gjx

    johny_gjx Active Member

    Joined:
    Apr 15, 2005
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    I'm afraid it does not prevent reading and it's really important to make note of
     
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    It will if the files have the appropriate permissions.

    With suPHP enabled, a PHP script can have the permissions of 0600 and still be viewable on that account.

    For example:

    /home/user1/public_html/file.php can have permissions of 0600. The domain name associated with user1 is mydomain.com. You can still visit the file by going to http://mydomain.com/file.php.

    Now another user on the server, user2 will not have significant privileges to view the file at /home/user1/public_html/file.php because the permissions on that file are too low for user2 to be able to read the file.

    Affectively, having permission of 0600 means that only user1 can read or write to this file.
     
  10. johny_gjx

    johny_gjx Active Member

    Joined:
    Apr 15, 2005
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    What I quoted says once user does not have permission to modify a file, suPHP would prevent them from reading/writing the file, please check again what I have quoted.

    /etc/passwd is 644 and the user can't modify it, however suPHP can't prevent this root owned file from being read as long as it is 644.

    only safe_mode or open_basedir restrictions can help with this.

    it is important to think of what suPHP can really do and what it can't do
     
Loading...

Share This Page