SOLVED open_basedir and Jailed apache

[Rodrigo Gomes]

Newbie question

open_basedir protection is necessary in jailed apache?

I think it's not and I leave it off by default,
But to be sure, I came to ask you guys!

 

[cPanelMichael]

Hello,

Could you provide some more information for this question? For instance, is this in reference to a specific type of attack (e.g. symlink attacks)? The following document is useful for general PHP security advice:

PHP Security Concepts - cPanel Knowledge Base - cPanel Documentation

Thank you.

 

[Rodrigo Gomes]

Hello Michael,

open_basedir Restricts user access to their own directories via PHP.
And Jailed apache do the same, but at apache level.

So, enable open_basedir protection is necessary when you already use Jailed apache?

 

[cPanelMichael]

Hello,

I see no harm in enabling PHP open_basedir when Mod_Ruid2 with the "Jail Apache Virtual Hosts" option is enabled. For instance,
as documented at Jail Apache Virual Hosts:

Each user who configured jailshell or noshell as the shell experiences the following changes:

    The chroot command jails the user's Apache Virtual Hosts into the /home/virtfs directory.
    The system adds the RDocumentChRoot directive to the user's Virtual Host.

Thus, if normal shell access is assigned to an account, you may find the PHP open_basedir setting helpful.

Thank you.

 

[Rodrigo Gomes]

Hello Michael,

Thanks for the answer.
I wonder if it is necessary to activate the open_basedir when "Jail Apache Virtual Hosts" option is enabled,
Taking into account that this option activated generates some php warnings, especially for some Wordpress plugins.
And that (Unless I got it wrong) jailed apache already limits user access to its own folder.

All my costumers have jailed access to the shell. What worries me are the PHP and CGI scripts.
This is an important question for me, because currently I leave the open_basedir disabled and I trust in Jail Apache to limit each user to its own folder.

UPDATE:
I can test this if you guys do not have the answer to that.
I came to ask first because I would like a more trustworthy answer on this subject.

 

[cPanelMichael]

Hello,

The "Jail Apache Virtual Hosts" option limits the user's filesystem view to their /home/virtfs/$USER filesystem, however the option is still considered Experimental so it's not something we can definitively tell you will work in every circumstance.

You'd still want to test this out, or consult with a qualified security expert or system administrator to determine if enabling both options could address potential vulnerabilities.

Thank you.

 

[Rodrigo Gomes]

Hello Michael,

After many tests, I came to the conclusion that the open_basedir restriction is necessary even with jail apache enabled.
Many configuration files and sensitive files on the server are accessible without this restriction. Which can compromise server security.
Especially if you are not sure that the files permissions are set correctly.

Anyway, open_basedir is an important protection and should be activated even with jail apache enabled.