The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

openbase_dir does not work with http://ip/~user

Discussion in 'General Discussion' started by casey, Jul 31, 2003.

  1. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    As the subject states, if you do a php info using the domain, the openbase_dir shows the correct information. However, if you access this by http://ip/~user then openbase_dir says "no value".

    Is it still secure?

    cPanel.net Support Ticket Number:
     
  2. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    I think to fix this the Openbase dir settings has to be added Directory based not Virtual Host.

    ex.
    <Directory "/home/Username">
    <IfModule mod_php4.c>
    php_admin_value open_basedir "/home/Username:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>
    </Directory>

    cPanel.net Support Ticket Number:
     
  3. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Re: Re: openbase_dir does not work with http://ip/~user

    I'm not a guru, so I can only agree.:) If this is the case, can you correct this, Nick? If it is possible, that will be much easier than doing it one by one.

    cPanel.net Support Ticket Number:
     
  4. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    Re: Re: Re: openbase_dir does not work with http://ip/~user

    This will solve two problems:
    http://IP.SERVER/~username
    ^^ will limit him to use folder and tmp ..etc

    and
    http://www.anotherdomain.com/~username
    ^^^ will limit him to his folder and allow his site to work.

    Is the mod_userdir protection working for you? (without bandwidth protect module)
     
    #4 mmkassem, Jul 31, 2003
    Last edited: Jul 31, 2003
  5. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Re: Re: Re: Re: openbase_dir does not work with http://ip/~user

    Yes, it is working great as long as the person uses his domain to access files. However, if he uses /~username to access them the restriction is no longer applied to him.

    cPanel.net Support Ticket Number:
     
  6. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    Re: Re: Re: Re: Re: openbase_dir does not work with http://ip/~user

    How?

    Here I have mod_userdir protection enabled and I did not exclude anything.
    when I try:

    http://www.user1.com/~user2
    it loads .. should not it prevent that?

    cPanel.net Support Ticket Number:
     
  7. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Mine gives a message saying,

    cPanel.net Support Ticket Number:
     
  8. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    Mine either make a 404 or allow all domains. (Contacted cpanel)

    Anyway back to Topic:

    Did you submit a ticket about it?

    It has to be directory based because:
    http://IP.ADDRESS/~username
    will have no openbase dir if virtual host based. Insecure

    http://www.domain.com/~username
    will use the domain.com openbase dir settings if virtual host. which generates errors.

    But directory based will make it work anywhere using only it's openbase dir settings only.

    cPanel.net Support Ticket Number:
     
  9. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Added feature request.

    cPanel.net Support Ticket Number: 19876
     
  10. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    270
    Likes Received:
    0
    Trophy Points:
    16
  11. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    Use mod_userdir protection.

    cPanel.net Support Ticket Number:
     
  12. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    270
    Likes Received:
    0
    Trophy Points:
    16
  13. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    you can unexclude the nobody user. You should not be able to access them if you done that. (if mod_userdir protection is working correctly)

    cPanel.net Support Ticket Number:
     
  14. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    270
    Likes Received:
    0
    Trophy Points:
    16
  15. mmkassem

    mmkassem Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Egypt
    check my previous post ..
    did you uncheck user nobody?

    cPanel.net Support Ticket Number:
     
  16. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Let us determine if mod_userdir protection is being used correctly, in the httpd.conf file.

    #
    # UserDir: The name of the directory which is appended onto a user's home
    # directory if a ~user request is received.
    #

    <IfModule mod_userdir.c>
    UserDir public_html
    UserDir disabled
    UserDir enabled Username1 Username2
    </IfModule>

    If you did not want anyone to have access, then just comment out the "enabled" line.

    # UserDir enabled
     
    #16 Website Rob, Aug 12, 2003
    Last edited: Aug 12, 2003
  17. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    270
    Likes Received:
    0
    Trophy Points:
    16
    mod_userdir protection

    Hello, uncheck nobody in Tweak Security?? I don't have this option.

    ..or did you say -Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)- ??

    This option is checked and I can access to http://IP.SERVER/~username or http://ns.dns.com/~username

    Thanks!

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page