suPHP, open_basedir, and Multi PHP via EA4...together for improved security

bgarrant

Well-Known Member
Jun 27, 2012
78
10
8
cPanel Access Level
Root Administrator
After reading many threads on this issue, I started scratching my head on how I could make this work WITHOUT allowing user.ini or php.ini files per account. I wanted to maintain the open_basedir restrictions myself in the global php.ini file. In the past I would just use one php.ini file and add lines for each website at the bottom of the php.ini file:

Code:
[PATH=/home/username/]
open_basedir = "/home/username/:/usr/lib/php:/usr/local/lib/php:/tmp"

[PATH=/home/username2/]
open_basedir = "/home/username2/:/usr/lib/php:/usr/local/lib/php:/tmp"

[PATH=/home/username3/]
open_basedir = "/home/username3/:/usr/lib/php:/usr/local/lib/php:/tmp"
This worked great, but now with EasyApache 4 we can use Multiple versions of PHP. So my options where to add these to the bottom of each version php.ini (in case a client changes version) or to allow user ini files again right? Not so. Here is what I did.

SOLUTION

I created an INI file in a new directory called "anything/php/zapp.ini" (permission 444) with all my PATH directives in this format. Each one represents a website. The "zapp.ini" name is important in case the additional INI folders are read by name in the php.d folder.

Code:
[PATH=/home/username/]
open_basedir = "/home/username/:/usr/lib/php:/usr/local/lib/php:/tmp"

[PATH=/home/username2/]
open_basedir = "/home/username2/:/usr/lib/php:/usr/local/lib/php:/tmp"

[PATH=/home/username3/]
open_basedir = "/home/username3/:/usr/lib/php:/usr/local/lib/php:/tmp"
Then I created symlinks as follows through the console:

Code:
ln -s /anything/php/zapp.ini /opt/cpanel/ea-php70/root/etc/php.d/zapp.ini
ln -s /anything/php/zapp.ini /opt/cpanel/ea-php56/root/etc/php.d/zapp.ini
ln -s /anything/php/zapp.ini /opt/cpanel/ea-php55/root/etc/php.d/zapp.ini
ln -s /anything/php/zapp.ini /opt/cpanel/ea-php54/root/etc/php.d/zapp.ini
Then Restart Apache:

Code:
# service httpd restart
So now when the additional INI files are loaded from the php.d folders for each version of PHP, the zapp.ini file is loaded last with the overrides. So even if a user changes PHP version in cPanel using the new Multi PHP Handler with EA4, their PATH open_basedir settings should still be maintained.

All seems to be working great so far with this method. My only concern is with updates. I am hoping the symlinks will remain in place, but only time will tell. Obviously when a new version is loaded up a new symlink will need to be created, but this so far has been a HUGE timesaver!

If anyone has any feedback on this please let me know. I strongly suggest if you try something like this to backup, backup, backup your server first!
 
Last edited:

bgarrant

Well-Known Member
Jun 27, 2012
78
10
8
cPanel Access Level
Root Administrator
It may also be a good idea to comment out the open_basedir value in your global php.ini file while using this method.

Code:
; open_basedir = "/usr/lib/php:/usr/local/lib/php:/tmp"
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Been using this method several days now with no issues. Even had a cPanel update in that time.
Hello,

I'm happy to see this custom workaround is working as intended. Thank you for updating us with the outcome. Note that you can run "yum update" when new packages are available for EasyApache 4 if you have automatic package updates disabled.

Thank you.
 

bgarrant

Well-Known Member
Jun 27, 2012
78
10
8
cPanel Access Level
Root Administrator
Hello,

I'm happy to see this custom workaround is working as intended. Thank you for updating us with the outcome. Note that you can run "yum update" when new packages are available for EasyApache 4 if you have automatic package updates disabled.

Thank you.
This method has been working great. No issues and security is working well. Thanks Michael.