The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

open_basedir with suphp on global php.ini?

Discussion in 'Security' started by morrow95, Oct 14, 2012.

  1. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Just switched from dso to suphp on my server. I want to add back the openbase_dir protection I had previously. Now, I have already performed the following in /opt/suphp/etc/suphp.conf to disable users to have individual php.ini files on their accounts :

    Code:
    [phprc_paths]
    ;Uncommenting these will force all requests to that handler to use the php.ini
    ;in the specified directory regardless of suPHP_ConfigPath settings.
    application/x-httpd-php=/usr/local/lib/
    application/x-httpd-php4=/usr/local/php4/lib/
    application/x-httpd-php5=/usr/local/lib/
    With that said, is it possible to enable open_base dir in the global php.ini file for all the accounts? From what I am reading I would need to set individual php.ini's on all accounts to enable this which then goes against the fact I am preventing that in the first place.

    Any help would be great... using php 5.3 by the way...
     
  2. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    You can use php 5.3's path feature like this example. in the global php.ini

    Code:
    [PATH=/home/username/public_html]
    memory_limit=64M
    register_globals=Off
    allow_url_fopen=Off
    post_max_size=20M
    upload_max_filesize=20M
    session.save_path=/home/username/sessions
    upload_tmp_dir=/home/username/uploads
    open_basedir=/home/username/public_html:/usr/local/lib/php/:/home/username/php/
    
    You can add as many as you need. :)
     
  3. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, but I was looking to just add openbase_dir for all accounts on the server since they are now all using the global .ini... are you saying I need to enter :

    Code:
    [PATH=/home/username/public_html]
    open_basedir=/home/username/public_html:/usr/local/lib/php/:/home/username/php/
    
    for every single account...any every time I add an account? There isn't a way to add a single entry which would take care of all of them?
     
  4. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Well you could always write a script to do this automatically,.

    php.ini has an open_basedir that is global, but if you set it to say /home that means user1 can access user2 directories. This isn't secure.
     
  5. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    I'm aware of this... perhaps I need to be more clear. I am using suphp so I cannot use the open_base dir settings in WHM... I need to specify them in the php.ini. Now, since I performed the steps mentioned in my earlier post... I am preventing user specific php.ini use and forcing every account to use the global php.ini file. With that said, is there any way to add open_base dir protection in the global php.ini file (say using variables or something) or must I manually add every account into it with the code I listed in my last response?
     
  6. srpurdy

    srpurdy Well-Known Member

    Joined:
    Jun 1, 2011
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    You'll have to manually do this for each user.

    Or like I said you could write a script that would edit the global php.ini and add accounts to it for you. But you need to look at cPanel API I have no real advice on that aspect.
     
Loading...

Share This Page