The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Open_Basedir, trailing slash after /tmp - will it stop creating directories ?

Discussion in 'General Discussion' started by jeroman8, Jul 26, 2005.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    I have a problem with exploits in scripts that uploads stuff to the tmp directoy
    and run them there. It's different kinds of activites but non is welcome.

    So, finding these exploits is offcourse the best way to fix it but as a security
    method I wonder if adding a trailing slash / after the tmp in the open_basedir lines in httpd.conf will prevent the exploit/script from making a directory in tmp ?

    As it is no it say:
    <IfModule mod_php4.c>
    php_admin_value open_basedir "/home/user/:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>

    If I instead have /tmp/ in the end it should stop it from making/access anything
    under /tmp right ?

    On some servers there are a few directories in tmp but I can't see it is
    needed for php scripts. - Any idea ?
     
  2. RavenSoul_

    RavenSoul_ Well-Known Member

    Joined:
    Nov 2, 2004
    Messages:
    95
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Belgium
  3. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    All of that is already done and is basicly what /scripts/securetmp is doing
    and that does not prevent scripts from running in /tmp all the time., most of the time yes,
    but if you start the script in a certain way it does not help.

    What I wanted was a way to stop php scripts from creating directories in /tmp
    and open_basedir might be way to do that.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    AFAIK, it won't make a difference. Linux copes very well if you address directories with too many slashes, e.g.:

    ls -la //var//log//

    The only realistic way to to fix the problem php scripts in the first place and use a good set of mod_security secfilters.
     
Loading...

Share This Page