The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

open_basedir protection

Discussion in 'Security' started by epaslv, Aug 16, 2016.

Tags:
  1. epaslv

    epaslv Member

    Joined:
    May 18, 2010
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Contrary to what PHP open_basedir Tweak - Documentation - cPanel Documentation says
    when you enable or disable Home »Security Center »PHP open_basedir Tweak
    no changes are made to any files.

    One would expect changes to be written to /etc/apache2/conf/httpd.conf.

    I can see the timestamp change on the file but perfoming a diff on
    /etc/apache2/conf/httpd.conf and a previously saved file shows no difference.

    Running
    CENTOS 7.2 x86_64 virtuozzo – WHM 58.0 (build 20)
     
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    From your other thread I believe you're using suPHP? cPanelMichael will correct me if I'm wrong but I believe PHP open_basedir tweak has no effect under suphp (as the relevant value can by default be changed per user in their php.ini file)
     
  3. RWH Tech

    RWH Tech Well-Known Member

    Joined:
    Oct 1, 2015
    Messages:
    74
    Likes Received:
    11
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    I know that under mod_cgid you must change the setting in php.ini for each PHP version you run.

    Right now I've disabled it because it causes issues all over the place, composer is an example, and I'm pressed for time.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you let us know the PHP handler installed on your system? You can check with the following command:

    Code:
    /usr/local/cpanel/bin/rebuild_phpconf --current
    Thank you.
     
  5. epaslv

    epaslv Member

    Joined:
    May 18, 2010
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for your note.

    The only working solution I have is to use suphp and place php.ini in the public_html with open_basedir specified.

    While I prefer to use cgi, suphp is the only solution I have that works. The PHP open_basedir Tweak has no affect on or off, both in cgi and in suphp.
     
  6. epaslv

    epaslv Member

    Joined:
    May 18, 2010
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    This is what I have

    DEFAULT PHP: ea-php56
    ea-php56 SAPI: cgi

    I also created a custom profile, to remove PHP 5.5 and PHP7
    I
    {
    "desc" : "Auto Generated profile",
    "pkgs" : [
    "ea-apache24",
    "ea-apache24-config",
    "ea-apache24-config-runtime",
    "ea-apache24-mod_bwlimited",
    "ea-apache24-mod_cgid",
    "ea-apache24-mod_deflate",
    "ea-apache24-mod_expires",
    "ea-apache24-mod_headers",
    "ea-apache24-mod_mpm_worker",
    "ea-apache24-mod_proxy",
    "ea-apache24-mod_proxy_fcgi",
    "ea-apache24-mod_proxy_http",
    "ea-apache24-mod_security2",
    "ea-apache24-mod_ssl",
    "ea-apache24-mod_suexec",
    "ea-apache24-mod_suphp",
    "ea-apache24-mod_unique_id",
    "ea-apache24-tools",
    "ea-apr",
    "ea-apr-util",
    "ea-cpanel-tools",
    "ea-documentroot",
    "ea-libmcrypt",
    "ea-php-cli",
    "ea-php56",
    "ea-php56-build",
    "ea-php56-libc-client",
    "ea-php56-pear",
    "ea-php56-php-bcmath",
    "ea-php56-php-bz2",
    "ea-php56-php-calendar",
    "ea-php56-php-cli",
    "ea-php56-php-common",
    "ea-php56-php-curl",
    "ea-php56-php-dba",
    "ea-php56-php-enchant",
    "ea-php56-php-exif",
    "ea-php56-php-fileinfo",
    "ea-php56-php-fpm",
    "ea-php56-php-ftp",
    "ea-php56-php-gd",
    "ea-php56-php-gettext",
    "ea-php56-php-gmp",
    "ea-php56-php-iconv",
    "ea-php56-php-imap",
    "ea-php56-php-intl",
    "ea-php56-php-ioncube",
    "ea-php56-php-ldap",
    "ea-php56-php-mbstring",
    "ea-php56-php-mcrypt",
    "ea-php56-php-mysqlnd",
    "ea-php56-php-odbc",
    "ea-php56-php-pdo",
    "ea-php56-php-posix",
    "ea-php56-php-process",
    "ea-php56-php-pspell",
    "ea-php56-php-snmp",
    "ea-php56-php-soap",
    "ea-php56-php-sockets",
    "ea-php56-php-xml",
    "ea-php56-php-xmlrpc",
    "ea-php56-php-zendguard",
    "ea-php56-php-zip",
    "ea-php56-runtime"
    ],
    "name" : "PHP 56.json",
    "version" : "1.0",
    "tags" : [
    "Apache 2.4",
    "PHP 5.6"
    ]
    }
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The following document is helpful here:

    PHP open_basedir Tweak - Documentation - cPanel Documentation

    Per this document:

    Thank you.
     
  8. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    There is actually another option here, outlined by cPTristan now a fair amount of time ago in the thread at

    Methods to Increase Security on suPHP - Restricting who can use php.ini files

    If you don't want users to have their own individual php.ini files under suphp you can disable this per his instructions and then specify the open basedir path restrictions in the main php.ini for each user / user app. It's not ideal, but it works.
     
Loading...

Share This Page