The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

open_basedir not working - help!

Discussion in 'General Discussion' started by n000b, Sep 17, 2007.

  1. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    I've just noticed that my open_basedir protection is not working, and I am able to include other users file's on my server!

    open_basedir is enabled in cPanel, and I verified that by looking in httpd.conf - this is what is in there (for one of the users):

    As you can see, open_basedir *is enabled*. But I'm still able to include other users file's. Am I missing something obvious here or is open_basedir not working?

    Thanks :)
     
  2. linux.newbie

    linux.newbie Well-Known Member

    Joined:
    Sep 8, 2006
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Try
    # /scripts/phpopenbasectl off
    # /scripts/phpopenbasectl on
    # /scripts/restartsrv_apache
     
  3. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    open_basedir isn`t effective. I saw the effect too. It won`t allow users to browse under /home/, but in /home/ it allows it. I`m switching to suPHP.
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Could you expound on that please? It's possible we are missing something, but I'm not fully understanding your statement above.
     
  5. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    openbase_dir is enabled on my server, but thing is that it keeps shell scripts from going under /home/, like /, or /root and so on, but it allows users to browse other /home/user/ directories.
     
  6. n000b

    n000b Well-Known Member

    Joined:
    Apr 7, 2005
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Nope, still doesn't work.

    Am I doing something wrong or is there a bug somewhere here that is causing a massive security hole? Should others be checking to make sure their open_basedir is working correctly?
     
  7. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    Hoefully Kenneth will be able to give us some information.
     
  8. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  9. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    Well, I was refering to shell scripts. A shell c99 script or r57 ... I can send you some shell scripts, if you want to try.
     
  10. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    Steps to reproduce :
    Enable openbase_dir on all ( some ) accounts. Create a new account in WHM. Make sure openbase_dir is enabled for it. Upload a shell script ( like I said, I can provide one ). Start browsing other users /home/user/ files ....
     
  11. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    coudn't be more easy just run php script with phpinfo() inside in any /home/username/public_html and got same result? if you check openbase value in his output you will see that it is not set (if you do not set it in server php.ini). Cannot confirm for php module, but for suphp i can.
     
  12. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    It`s not the debate of whether it`s on or off, it`s that it doesn`t do what it is supposed to do.
     
  13. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    I woudn't like debate, i am only prefer easy way for realizing any things. At least in situation where it possible.
    if someone ask me why it not work i would say that it happen because when you use suphp you should place php directives only and only in php.ini file inside user home directory where you would like change something. Placing php directives in virtual hosts section will be ignored.
     
  14. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    I`m not using suPHP, and neither is the other fella. If I were, I wouldn`t need openbase_dir.
     
  15. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    I don't know what version of apache/php you use, but for case: apache 1.3.xxx/php5.2.xxx probably it should work if you edit your virtualhost section like this:

    ServerAlias auscong.com
    ServerAdmin webmaster@auscong.com
    DocumentRoot /home/auscong/public_html
    BytesLog domlogs/auscong.com-bytes_log
    User auscong
    Group auscong
    php_admin_value open_basedir "/home/auscong/:/usr/lib/php:/usr/local/lib/php:/tmp"
     
  16. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    You don`t understand. It`s not that it isn`t added, it`s that it doesn`t do what it is supposed to do : stop users from sniffer others /home/user/ ...
     
  17. bin_asc

    bin_asc Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    280
    Likes Received:
    0
    Trophy Points:
    16
    YES. You finally got it.
     
  18. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    Do you mean that open_base directive enabled, you see it in phpinfo output under user account but it do not prevent user from accessing folders outside of /home/username ?
     
  19. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    and what you use for realize this? any php shell script like c99, r57 etc. With which script function ?
     
  20. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    That's the problem. Those scripts use features that bypass open_basedir. You need to disable all shell, process, exec and related facilities in PHP to control those types of scripts.

    open_basedir will only govern things like:

    Code:
    <?php
    
    include_once("/path/to/other/vhost/public_html");
    
    $fh = fopen("http://not.my.domain/~/otheruser/file.php", "r");
    
    $all = readfile("/path/to/system/etc/passwd");
    
    ?>
    

    For example, with open_basedir enabled, I'm using the following script from /usr/home/bug5866/public_html/test.php
    Code:
    $ cat test.php
    <?php
    
    include_once("/usr/home/dumbhome/public_html/included.php");
    
    echo `cat /etc/passwd`;
    
    ?>
    
    It's sourcing from somelse's public_html. Does the included.php file exist?
    Code:
    ulluco# stat /usr/home/dumbhome/public_html/included.php
    86 12247053 -rw-r--r-- 1 dumbhome nobody 48932199 64 "Sep 19 13:33:21 2007" "Sep 19 13:33:21 2007" "Sep 19 13:33:21 2007" "Sep 19 13:33:21 2007" 4096 4 0 /usr/home/dumbhome/public_html/included.php
    ulluco# 
    
    Now, what happens when I execute that script in my browser?
    As you can see, open_basedir blocked the include_once directive, but was ineffective against the backticks (``). The only way to block those is to disable shell, exec, process control, etc from php. This can be done either by disabling certain extensions at compile time, or by adding them to the disable_function= directive in php.ini
     
Loading...

Share This Page