The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

open_basedir security etc

Discussion in 'Security' started by protocol, Aug 12, 2004.

  1. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Hi

    I have open_basedir enabled hoever a customer wants to use a php script that uses imagemagick binaries that are in /usr/bin/. Either I can remove open_basedir for his account or I think could add /usr/bin/ to the list of allowed paths. What is the best/most secure thing to do?

    Thanks in advance.

    Will
     
  2. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    We have asked for a coulple of features on this one in the past with no response. You can add directories to the openbase by editing /scripts/phpopenbasectl (think that is it, it is similar). When in the file just search for tmp and you can add extra directories in that line. One we did was netpbm for galleries.

    After you edit the file make sure you do a chatter +i or it will get overwritten.
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Instead of /usr/bin you should probably have a copy of imagemagick in /usr/X11R6/bin, in that case you can add this in your httpd.conf file for that account.

    php_admin_value safe_mode_exec_dir /usr/X11R6/bin

    Otherwise you would be giving access to many other binaries in /usr/bin.

    By the way, are you sure that open_basedir causes the 'problem' ? From what I remember it's safe_mode that blocks this.
     
  4. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    For netpbm we have to allow /usr/local/netpbm. We don't allow access to the direct ImageMagick stuff so couldn't help you there. You can do the full path to the application though to try and make it more secure.
     
  5. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Thanks guys, I think i willl add the specific open_basedir paths to each binary.

    Regards

    Will
     
Loading...

Share This Page