The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

open_basedir (-like) security for PHP5 CGI

Discussion in 'Security' started by Miss Jacky, Mar 30, 2006.

  1. Miss Jacky

    Miss Jacky Well-Known Member

    Joined:
    Mar 4, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    running PHP5 as CGI, i'm wondering if it is possible to provide security like the open_basedir directive with php as apache module for this CGI php5 install.

    Tnx in advance for any tips!

    regards
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you're running it as CGI then there's an implication that open_basedir isn't necessary as all you need is proper directory and file permission/ownership settings as the scripts access files as the unix account user.
     
  3. Miss Jacky

    Miss Jacky Well-Known Member

    Joined:
    Mar 4, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Hi chirpy,

    tnx for the tip... I didn't think of this because the current permissions in my /home dir don't give this security.

    I guess the simplest way is to have each user directory something like this:

    drwx--x--- 9 username nobody

    But cpanel creates my accounts like this:

    drwx--x--x 9 username username

    Am I thinking in the right way here?

    Can you change this so cpanel creates the users' dir with this perms/ownership?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The permissions on the dirs are fine since php scripts are run as the username the permissions are accessed through the username. Since CGI scripts (with suexec) runs as the username and PHP scripts (with phpsuexec) do the same, the nobody user having group access is moot.
     
  5. Miss Jacky

    Miss Jacky Well-Known Member

    Joined:
    Mar 4, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    But now the dirs have also the execute permission for 'other' users (711), so any user can get in any userdir. Tested it with a php include, can include files from other users' dir. Am I missing something here?
     
  6. Miss Jacky

    Miss Jacky Well-Known Member

    Joined:
    Mar 4, 2004
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Sorry I *was* missing a point here...
    I was looking at the user directories but I should have been looking at the /public_html's directories..

    If these public_html folders are 750 with user:nobody then everything is fine.. the rest of the files in the user directory have the necessary permissions to hold back other users.
    But for some reason, a lot of public_html folders weren't configured like that. Now they are :)

    If anyone else once reads this thread looking for answers:

    chgrp nobody /home/*/public_html
    chmod 750 /home/*/public_html

    Which fixed wrong user:user ownerships and removes permissions for other users.

    Thanks for your time chirpy
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    A quick way to do the ownership/permissions on the public_html dirs is to use:

    /scripts/chownpublichtmls
     
Loading...
Similar Threads - open_basedir like) security
  1. epaslv
    Replies:
    7
    Views:
    236
  2. Clouseau
    Replies:
    2
    Views:
    480

Share This Page