The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

php.ini and open_basedir

Discussion in 'Security' started by DeepXP, Sep 26, 2010.

  1. DeepXP

    DeepXP Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Internet
    cPanel Access Level:
    Root Administrator
    Hi guys,

    This might not be related to cPanel/WHM but it's surely related to security of the server.

    In DSO mode, when you enable open_basedir, it does not allow the user to access any files beyond it's home directory but in case of suPHP we have to enable it in php.ini and put the path there. But in this, you can simply put /home/ but you cannot put "home" directory of that user. So, user can read any file inside the /home/ directory.

    Yes, it cannot write anything to it as those files are not owned by that user.

    Now, my concern here is, don't you think there is a security hole in this? A user, using any server side language can get the list of all the users (directories) in /home/ then get inside those directories and scan for vulnerable files or even archive or sql files.

    Is there any way to restrict this and limit the access only to their home directories? (Yes, I know, individual php.ini files can be added for every user but I guess that's not a practical solution)

    Any kind of suggestions / ideas are welcome.

    Thanks
    Deep
     
  2. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    First off, DSO is just basic apache with hardly and security so this probably can happen, As mentioned alot of times on this forum and several others use at your own risk**

    I find that if you switch to cgi or suphp then the above is not possible.

    If your using DSO then you will be asking for trouble as the security within the apache is minimal if not NONE.

    Read this thread here as its been mentioned alot, Spiral made a very good job of explaining things.

    http://forums.cpanel.net/f189/dso-vs-suphp-vs-fastcgi-146353.html#post621641
     
  3. DeepXP

    DeepXP Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Internet
    cPanel Access Level:
    Root Administrator
    Yup, I am not fan of DSO, but I wanted some kind of workaround in suphp...
     
  4. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    What kind of work around ?

    Imagen yourself enabling and usuing suPHP, Can you say what the issue is or what its doing or not doing, I don't quite understand.

    To me if your having to enable it manually via php.ini then I can only guess that in:

    WHM > SECURITY > PHP open_basedir Tweak > Is enabled but no accounts selected.

    Just tick the box and enable for selected domains, No need to keep editing the php.ini.
     
  5. DeepXP

    DeepXP Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Internet
    cPanel Access Level:
    Root Administrator
    Gary, when you have suPHP enabled, the option in WHM doesn't work.

    Please go through my explanation in the start of the thread, you will understand what I am trying to say.
     
  6. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    I have no issues with is here :confused:

    Whn switching did you fix the ownerships ?
     
  7. DeepXP

    DeepXP Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Internet
    cPanel Access Level:
    Root Administrator
    Hi Gary,

    The WHM open_basedir settings work for DSO mode but when the PHP is set to suPHP, the same settings do not work and we have to enable open_basedir in php.ini and specify the path there.

    Now, in DSO mode, it was possible to restrict each user to it's own home directory but in suPHP, you cannot really do that as you have to specify the value in php.ini

    Say for e.g. if the value is /home/ then the user will be restricted to the home directory but he will have read access to all the directories under /home/

    So if the user is xyz, he can simply access file of abc by listing files under /home/abc/.

    Where as in DSO mode, you cannot do that, the user cannot go beyond /home/xyz/

    I hope I did not confuse you.

    Regards,
    Deep
     
  8. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    I get what your saying but I do not get what you want to use - DSO or suPHP :rolleyes:

    Probably me reading it wrong but when switching from DSO to suPHP - I guess you have changed the permission sets over ?
     
  9. DeepXP

    DeepXP Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Internet
    cPanel Access Level:
    Root Administrator
    I am actually using suPHP as it's the best mode from what I understand but I want to find a way to restrict the user to it's own directory if the open_basedir is enabled under suPHP.

    While changing the mode from DSO to suPHP (This was one a year back), yes, we had changed all 777 permissions to 755 using a script.

    Regards,
    Deep
     
  10. DeepXP

    DeepXP Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Internet
    cPanel Access Level:
    Root Administrator
    Suggestions anyone?
     
Loading...

Share This Page