Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

open_basedir security etc

Discussion in 'Security' started by protocol, Aug 12, 2004.

  1. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    156
    Hi

    I have open_basedir enabled hoever a customer wants to use a php script that uses imagemagick binaries that are in /usr/bin/. Either I can remove open_basedir for his account or I think could add /usr/bin/ to the list of allowed paths. What is the best/most secure thing to do?

    Thanks in advance.

    Will
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Lewisville, Tx
    We have asked for a coulple of features on this one in the past with no response. You can add directories to the openbase by editing /scripts/phpopenbasectl (think that is it, it is similar). When in the file just search for tmp and you can add extra directories in that line. One we did was netpbm for galleries.

    After you edit the file make sure you do a chatter +i or it will get overwritten.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    168
    Instead of /usr/bin you should probably have a copy of imagemagick in /usr/X11R6/bin, in that case you can add this in your httpd.conf file for that account.

    php_admin_value safe_mode_exec_dir /usr/X11R6/bin

    Otherwise you would be giving access to many other binaries in /usr/bin.

    By the way, are you sure that open_basedir causes the 'problem' ? From what I remember it's safe_mode that blocks this.
     
  4. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Lewisville, Tx
    For netpbm we have to allow /usr/local/netpbm. We don't allow access to the direct ImageMagick stuff so couldn't help you there. You can do the full path to the application though to try and make it more secure.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    156
    Thanks guys, I think i willl add the specific open_basedir paths to each binary.

    Regards

    Will
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice