The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suPHP, open_basedir, and Multi PHP via EA4...together for improved security

Discussion in 'Workarounds and Optimization' started by bgarrant, May 5, 2016.

  1. bgarrant

    bgarrant Active Member

    Joined:
    Jun 27, 2012
    Messages:
    26
    Likes Received:
    8
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    After reading many threads on this issue, I started scratching my head on how I could make this work WITHOUT allowing user.ini or php.ini files per account. I wanted to maintain the open_basedir restrictions myself in the global php.ini file. In the past I would just use one php.ini file and add lines for each website at the bottom of the php.ini file:

    Code:
    [PATH=/home/username/]
    open_basedir = "/home/username/:/usr/lib/php:/usr/local/lib/php:/tmp"
    
    [PATH=/home/username2/]
    open_basedir = "/home/username2/:/usr/lib/php:/usr/local/lib/php:/tmp"
    
    [PATH=/home/username3/]
    open_basedir = "/home/username3/:/usr/lib/php:/usr/local/lib/php:/tmp"
    
    This worked great, but now with EasyApache 4 we can use Multiple versions of PHP. So my options where to add these to the bottom of each version php.ini (in case a client changes version) or to allow user ini files again right? Not so. Here is what I did.

    SOLUTION

    I created an INI file in a new directory called "anything/php/zapp.ini" (permission 444) with all my PATH directives in this format. Each one represents a website. The "zapp.ini" name is important in case the additional INI folders are read by name in the php.d folder.

    Code:
    [PATH=/home/username/]
    open_basedir = "/home/username/:/usr/lib/php:/usr/local/lib/php:/tmp"
    
    [PATH=/home/username2/]
    open_basedir = "/home/username2/:/usr/lib/php:/usr/local/lib/php:/tmp"
    
    [PATH=/home/username3/]
    open_basedir = "/home/username3/:/usr/lib/php:/usr/local/lib/php:/tmp"
    
    Then I created symlinks as follows through the console:

    Code:
    ln -s /anything/php/zapp.ini /opt/cpanel/ea-php70/root/etc/php.d/zapp.ini
    ln -s /anything/php/zapp.ini /opt/cpanel/ea-php56/root/etc/php.d/zapp.ini
    ln -s /anything/php/zapp.ini /opt/cpanel/ea-php55/root/etc/php.d/zapp.ini
    ln -s /anything/php/zapp.ini /opt/cpanel/ea-php54/root/etc/php.d/zapp.ini
    
    Then Restart Apache:

    Code:
    # service httpd restart
    
    So now when the additional INI files are loaded from the php.d folders for each version of PHP, the zapp.ini file is loaded last with the overrides. So even if a user changes PHP version in cPanel using the new Multi PHP Handler with EA4, their PATH open_basedir settings should still be maintained.

    All seems to be working great so far with this method. My only concern is with updates. I am hoping the symlinks will remain in place, but only time will tell. Obviously when a new version is loaded up a new symlink will need to be created, but this so far has been a HUGE timesaver!

    If anyone has any feedback on this please let me know. I strongly suggest if you try something like this to backup, backup, backup your server first!
     
    #1 bgarrant, May 5, 2016
    Last edited: May 5, 2016
    mtindor likes this.
  2. bgarrant

    bgarrant Active Member

    Joined:
    Jun 27, 2012
    Messages:
    26
    Likes Received:
    8
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    It may also be a good idea to comment out the open_basedir value in your global php.ini file while using this method.

    Code:
    ; open_basedir = "/usr/lib/php:/usr/local/lib/php:/tmp"
    
     
  3. bgarrant

    bgarrant Active Member

    Joined:
    Jun 27, 2012
    Messages:
    26
    Likes Received:
    8
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Been using this method several days now with no issues. Even had a cPanel update in that time.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm happy to see this custom workaround is working as intended. Thank you for updating us with the outcome. Note that you can run "yum update" when new packages are available for EasyApache 4 if you have automatic package updates disabled.

    Thank you.
     
  5. bgarrant

    bgarrant Active Member

    Joined:
    Jun 27, 2012
    Messages:
    26
    Likes Received:
    8
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    This method has been working great. No issues and security is working well. Thanks Michael.
     
Loading...

Share This Page