The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SuPHP problem

Discussion in 'Security' started by grzeg, Mar 11, 2010.

  1. grzeg

    grzeg Member

    Joined:
    Jul 8, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    0
    Hello!
    I've got a new fresh cPanel install. I'v just compiled Apache + SuPHP ( "PHP Security" option at "EasyApache ( Apache Update )" ).
    Everything is working fine except for the restrictions.
    Simple PHP script, like "echo file_get_contents('/etc/passwd');", is able to read that file, which I'd rather avoid.
    Is it a normal behavior or did I do something wrong? Do I have to create customs php.ini files for every user with variable "open_basedir"?

    System: Centos 5.4 64bit
    Kernel: 2.6.18-164.11.1.el5
    cPanel: cPanel 11.25.0-R43473 - WHM 11.25.0

    Best Regards!
    Grzeg
     
  2. grzeg

    grzeg Member

    Joined:
    Jul 8, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    0
    Alright, I will help you out;)

    In httpd.conf I've made a global conf to define php.ini file:
    suPHP_ConfigPath /usr/local/php

    Apache is reading this file only ( no custom php.ini files allowed ).

    In php.ini I set open_basedir restrictions:

    /home:/usr/lib/php:/usr/local/lib/php:/tmp

    Everything seems to be working fine, so I just want to ask you is it enough or is there enything else to change?
    PHP code can not access e.g. /etc/passwd file anymore, and can't access other users homedirs.
     
  3. radeonpower

    radeonpower Well-Known Member

    Joined:
    Jul 23, 2009
    Messages:
    129
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Would be nice to get some input from cPanel here, is this a security threat?
     
  4. grzeg

    grzeg Member

    Joined:
    Jul 8, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    0
    Theoretically no, because passwd file is not a big secret ( no password is stored in that file ), but I don't like to share all the informations with my clients.
    Without "open_basedir" restriction users are allowed to read other dirs and files with global read permisson.

    Apparently, SuPHP is blocking scripts trying to read other users webroots ( like /home/other_user/public_html/file.html ), so it looks like my solution should work properly.
     
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Yes you covered the basics for doing that ....

    Be advised though that users could still override the restrictions
    with a custom PHP.INI unless you modified the code and manually
    recompiled or use function shadowing and do the same but what
    you listed is generally a good start in the right direction.
     
  6. sukil

    sukil Member

    Joined:
    Nov 15, 2005
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I cant understand anything that Spiral said.

    Also, I dont see any cPanel moderator commenting on the seemingly excellent method posted by grzeg here. Is it safe to apply this technique only or one needs to do more or it simply does not work? I would like to guidance on this as all the other suggestions I have seen so far seem very tedious to maintain while this seems to do the job with very little maintenance.

    Please comment.

    Thank you,

    S
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,461
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  8. sukil

    sukil Member

    Joined:
    Nov 15, 2005
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    That link does not help too! I am looking for some cPanel representative to comment here on what grzeg has recommended. Or please link me or guide me to a simple step by step way to secure a server with suPHP for existing and future accounts that requires less maintenance man hours of me to ensure security of the server. I am so confused about what is right being not so technical in these topics!
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,461
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  10. sukil

    sukil Member

    Joined:
    Nov 15, 2005
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Actually I do have a managed hosting plan from SolarVPS and they say it is as it is and told me it is a hassle to maintain suPHP and go for DSO. However, since I find suPHP being recommended by cPanel and is provided as the default solution yet with security issues, I am looking for assistance here to how best resolve those security issues without too much of a maintenance aspect involved with about 200 existing and later on new accounts that will come onboard in the future.
     
  11. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    suPHP is certainly not a hassle to maintain. All our shared servers and all our customers's shared servers we manage are configured with suPHP with no problem at all and some servers are hosting up to 800 accounts.
    You only need to make sure that :
    1) Files and folders are owned by the user
    2) Folders permissions are no higher than 755 and files permissions 644
    3) .htaccess contain no php flag values

    Custom php.ini are controled with suPHP_ConfigPath and we have written a small script that helps our customers to easily create one for their customers who need a custom configuration.
     
Loading...

Share This Page