The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED open_basedir and Jailed apache

Discussion in 'Security' started by Rodrigo Gomes, Dec 9, 2016.

Tags:
  1. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    82
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Newbie question :)

    open_basedir protection is necessary in jailed apache?

    I think it's not and I leave it off by default,
    But to be sure, I came to ask you guys!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Rodrigo Gomes likes this.
  3. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    82
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    open_basedir Restricts user access to their own directories via PHP.
    And Jailed apache do the same, but at apache level.

    So, enable open_basedir protection is necessary when you already use Jailed apache?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I see no harm in enabling PHP open_basedir when Mod_Ruid2 with the "Jail Apache Virtual Hosts" option is enabled. For instance,
    as documented at Jail Apache Virual Hosts:

    Code:
    Each user who configured jailshell or noshell as the shell experiences the following changes:
    
        The chroot command jails the user's Apache Virtual Hosts into the /home/virtfs directory.
        The system adds the RDocumentChRoot directive to the user's Virtual Host.
    
    Thus, if normal shell access is assigned to an account, you may find the PHP open_basedir setting helpful.

    Thank you.
     
    Rodrigo Gomes likes this.
  5. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    82
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    Thanks for the answer.
    I wonder if it is necessary to activate the open_basedir when "Jail Apache Virtual Hosts" option is enabled,
    Taking into account that this option activated generates some php warnings, especially for some Wordpress plugins.
    And that (Unless I got it wrong) jailed apache already limits user access to its own folder.

    All my costumers have jailed access to the shell. What worries me are the PHP and CGI scripts.
    This is an important question for me, because currently I leave the open_basedir disabled and I trust in Jail Apache to limit each user to its own folder.

    UPDATE:
    I can test this if you guys do not have the answer to that.
    I came to ask first because I would like a more trustworthy answer on this subject.
     
    #5 Rodrigo Gomes, Dec 13, 2016
    Last edited: Dec 13, 2016
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The "Jail Apache Virtual Hosts" option limits the user's filesystem view to their /home/virtfs/$USER filesystem, however the option is still considered Experimental so it's not something we can definitively tell you will work in every circumstance.

    You'd still want to test this out, or consult with a qualified security expert or system administrator to determine if enabling both options could address potential vulnerabilities.

    Thank you.
     
  7. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    82
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    After many tests, I came to the conclusion that the open_basedir restriction is necessary even with jail apache enabled.
    Many configuration files and sensitive files on the server are accessible without this restriction. Which can compromise server security.
    Especially if you are not sure that the files permissions are set correctly.

    Anyway, open_basedir is an important protection and should be activated even with jail apache enabled.
     
    cPanelMichael likes this.
Loading...

Share This Page