Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

open_basedir with suphp on global php.ini?

Discussion in 'Security' started by morrow95, Oct 14, 2012.

  1. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    123
    Likes Received:
    3
    Trophy Points:
    168
    Just switched from dso to suphp on my server. I want to add back the openbase_dir protection I had previously. Now, I have already performed the following in /opt/suphp/etc/suphp.conf to disable users to have individual php.ini files on their accounts :

    Code:
    [phprc_paths]
    ;Uncommenting these will force all requests to that handler to use the php.ini
    ;in the specified directory regardless of suPHP_ConfigPath settings.
    application/x-httpd-php=/usr/local/lib/
    application/x-httpd-php4=/usr/local/php4/lib/
    application/x-httpd-php5=/usr/local/lib/
    With that said, is it possible to enable open_base dir in the global php.ini file for all the accounts? From what I am reading I would need to set individual php.ini's on all accounts to enable this which then goes against the fact I am preventing that in the first place.

    Any help would be great... using php 5.3 by the way...
     
  2. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    You can use php 5.3's path feature like this example. in the global php.ini

    Code:
    [PATH=/home/username/public_html]
    memory_limit=64M
    register_globals=Off
    allow_url_fopen=Off
    post_max_size=20M
    upload_max_filesize=20M
    session.save_path=/home/username/sessions
    upload_tmp_dir=/home/username/uploads
    open_basedir=/home/username/public_html:/usr/local/lib/php/:/home/username/php/
    
    You can add as many as you need. :)
     
  3. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    123
    Likes Received:
    3
    Trophy Points:
    168
    Thanks, but I was looking to just add openbase_dir for all accounts on the server since they are now all using the global .ini... are you saying I need to enter :

    Code:
    [PATH=/home/username/public_html]
    open_basedir=/home/username/public_html:/usr/local/lib/php/:/home/username/php/
    
    for every single account...any every time I add an account? There isn't a way to add a single entry which would take care of all of them?
     
  4. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Well you could always write a script to do this automatically,.

    php.ini has an open_basedir that is global, but if you set it to say /home that means user1 can access user2 directories. This isn't secure.
     
  5. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    123
    Likes Received:
    3
    Trophy Points:
    168
    I'm aware of this... perhaps I need to be more clear. I am using suphp so I cannot use the open_base dir settings in WHM... I need to specify them in the php.ini. Now, since I performed the steps mentioned in my earlier post... I am preventing user specific php.ini use and forcing every account to use the global php.ini file. With that said, is there any way to add open_base dir protection in the global php.ini file (say using variables or something) or must I manually add every account into it with the code I listed in my last response?
     
  6. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    You'll have to manually do this for each user.

    Or like I said you could write a script that would edit the global php.ini and add accounts to it for you. But you need to look at cPanel API I have no real advice on that aspect.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice