SOLVED open_basedir and Jailed apache

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
  • Like
Reactions: Rodrigo Gomes

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

I see no harm in enabling PHP open_basedir when Mod_Ruid2 with the "Jail Apache Virtual Hosts" option is enabled. For instance,
as documented at Jail Apache Virual Hosts:

Code:
Each user who configured jailshell or noshell as the shell experiences the following changes:

    The chroot command jails the user's Apache Virtual Hosts into the /home/virtfs directory.
    The system adds the RDocumentChRoot directive to the user's Virtual Host.
Thus, if normal shell access is assigned to an account, you may find the PHP open_basedir setting helpful.

Thank you.
 
  • Like
Reactions: Rodrigo Gomes

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello Michael,

Thanks for the answer.
I wonder if it is necessary to activate the open_basedir when "Jail Apache Virtual Hosts" option is enabled,
Taking into account that this option activated generates some php warnings, especially for some Wordpress plugins.
And that (Unless I got it wrong) jailed apache already limits user access to its own folder.

All my costumers have jailed access to the shell. What worries me are the PHP and CGI scripts.
This is an important question for me, because currently I leave the open_basedir disabled and I trust in Jail Apache to limit each user to its own folder.

UPDATE:
I can test this if you guys do not have the answer to that.
I came to ask first because I would like a more trustworthy answer on this subject.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

The "Jail Apache Virtual Hosts" option limits the user's filesystem view to their /home/virtfs/$USER filesystem, however the option is still considered Experimental so it's not something we can definitively tell you will work in every circumstance.

You'd still want to test this out, or consult with a qualified security expert or system administrator to determine if enabling both options could address potential vulnerabilities.

Thank you.
 

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello Michael,

After many tests, I came to the conclusion that the open_basedir restriction is necessary even with jail apache enabled.
Many configuration files and sensitive files on the server are accessible without this restriction. Which can compromise server security.
Especially if you are not sure that the files permissions are set correctly.

Anyway, open_basedir is an important protection and should be activated even with jail apache enabled.
 
  • Like
Reactions: cPanelMichael