The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

session_start triggering open_basedir

Discussion in 'Security' started by fineline, Oct 1, 2010.

  1. fineline

    fineline Active Member

    Apr 10, 2006
    Likes Received:
    Trophy Points:
    Yesterday i decided to update PHP. I used EasyApache to do this. I didn't change any setting except the version of PHP. Now every site that uses session_start() triggers open_basedir.

    we use the open_basedir option so that users can't get into other users folders and files.

    I tested to make sure the session_start was the problem and it was.
    I installed a demo site and crated the index.php file with the following code.

    And sure enough i get the open_basedir error.
    I Googled the error and read others are having this issue too.
    From what i can gather my real /tmp directory is in /var/tmp
    I tried adding this to the include_path and also to open_basedir but still have the error.

    Any suggestions on how to fix this or a better way to build Apache+PHP and have the security feature where other users can not get into files and folders of other users on the server?

    Any help would be great.
    Thank You!
  2. mtindor

    mtindor Well-Known Member

    Sep 14, 2004
    Likes Received:
    Trophy Points:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I'm thinking that I've had to restart apache after updating certain things [like open_basedir] in php.ini. So after you add /tmp and-or /var/tmp to your open_basedir directive, restart apache and see if it's taking effect.

    If you are not running PHP as cgi, suphp or fastcgi, then you can enable the PHP open_basedir Protection under the Security Center in WHM.

    PHP's open_basedir protection prevents users from opening files outside of their home directory with php.

    This security tweak uses Apache DSO style directives. If PHP is configured to run as a CGI, SuPHP or
    FastCGI process, the open_basedir setting must be manually specified in the relevant php.ini file.
    See the EasyApache documentation for more information.

    If you are running suPHP or are running suPHP as cgi or fastcgi, then the PHP open_basedir Protection in the Security Center will not restrict each individual user to their own home directory. You'd have to have individual php.ini files for each user account and then set the restrictive open_basedir that includes that users' specificc home directory, your temp folder, etc. It's a mess and a pain in the rear end, but it can be done.

  3. fineline

    fineline Active Member

    Apr 10, 2006
    Likes Received:
    Trophy Points:
    PHP is ran as DSO. I have tried to restart each time i have made updates. I even checked phpinfo() to make sure the changes have taken effect.

    It's the strangest thing i have ever seen. I'm willing to change how PHP is ran if it will fix the problems.

    Basically i need a few things. Good performance, security and stability.

    The one MAIN thing i need if for other users to not be able to access other users data.

    So if someone could point me in the direction on how to build Apache and PHP to do this it would be great. Currently i have about 18 sites that are messed up because they use sessions and they are all getting the open_basedir errors.
  4. GaryT

    GaryT Well-Known Member

    May 19, 2010
    Likes Received:
    Trophy Points:
    DSO = Scrap INSTANTLY - Thats one security issue alone, Never mind talking about openbase !

    Good Performance, Security, Stabality - All 3 do not come cheap, Unless your experienced enough to make some hard changes, Anyway forget about this for the time being...

    For security I would go with suPHP -For performance I would go with fastcgi + modcgi, for stablility, I would go with both but you cannot :rolleyes:

    You need some server admin to take a look and get some basic things going.
Similar Threads - session_start triggering open_basedir
  1. CanSpace

Share This Page