The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Please help with open_basedir!

Discussion in 'General Discussion' started by null, Jan 13, 2003.

  1. null

    null Member

    Joined:
    Dec 14, 2002
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi, I have like 20 clients on my server and each of them has his own VirstualHost entry in httpd.conf.

    I want to set php open_basedir directive for every client, so that they will be able to include files only from their home directories.

    I dont want to write

    php_admin_value open_basedir &/home/client/&

    in every VirtualHost entry

    Is there any solution to do it for all clients with one line?

    Thanks
     
  2. null

    null Member

    Joined:
    Dec 14, 2002
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    anybody? please help!
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I don't think it's possible .

    In every case open_basedir you are not safe ; your clients will still be able to see /etc/passwd and other files .

    At this time only safe solution is php safe mode (however it's too much restrictive :( ) .

    Bye

    p.s. Anyone knows if something changed with php 4.3.0 , regarding the security iussues related to php safe mode and the usage of open_basedir ?
     
  4. null

    null Member

    Joined:
    Dec 14, 2002
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    In pair with with open_basedir I also use disable_function to disabale functions: system(), readfile()

    What if I have 100 clients on one machine? That means that I have to add to every VirtaulHost something like:

    &Virtual host xxx.xxx.xxx.xxx&

    php_admin_value open_basedir &/home/[user]/&
    php_admin_value disable_functions &system, readfile&

    ....
    ....

    &/Virtual host&


    ???

    This will take a lot of time!
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    someone on my server was able to install
    and run phpmyshell http://www.digitart.com.mx/php/myshell/security.html

    I was using openbase dir on that user . As can you see openbasedir is not useful to be safe .
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Very interesting scipt. And I can see the problem of not being able to keep user in right directory, as the script runs as the webserver ID &nobody in most cases& and not the user. And since the webserver has read access to almost everywhere that's why it gets through.

    This is the same issue with several scripts out there that mimic shell access, they run as webserver ID and not the user themselves.
     
Loading...

Share This Page