The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suphpconfig option

Discussion in 'Security' started by david510, Nov 29, 2011.

  1. david510

    david510 Well-Known Member

    Joined:
    Aug 22, 2004
    Messages:
    473
    Likes Received:
    0
    Trophy Points:
    16
    On an suphp server, we cannot set open_basedir globally easily as php loaded as apache module. In the php as apache module, we can enable the open_basedir protection from the WHM. When suphp is in place, we need to add in the php.ini file.

    If we are enabling open_basedir in the global php.ini file, eg /usr/local/lib/php.ini, we will need to gice "open_basedir = /home:" and cannot specify for individual accounts. Giving /home here, allows all users to access any files in /home folder. So user1 can access files of user2.

    Well, we can give "suPHP_ConfigPath /path/to/php.ini" for each account and specify this. For this we will need suPHP_ConfigPath added for all accounts on the server inside VH or separately using Directory tag on a diff config file and include it in pre_main2.conf file.

    Eg:

    Code:
    <Directory /home/username>
    suPHP_ConfigPath /usr/local/apache/conf/suphpconfig/username/
    </Directory>
    
    Add similar Directory tag for all users on server and place php.ini in the path /usr/local/apache/conf/suphpconfig/username/. You can copy the global php.ini file here and edit as "open_basedir = /home/username/public_html:/tmp". So we are safe. Each user can only access files inside his own home directory and not outside his home directory.

    Now BIG question:

    Instead of adding Directory tag for each user, can we add something like following, ie a single global entry but will have the effect of what I described earlier?
    Code:
    open_basedir = /home/$VAR/public_html
    
    Whenever a particular domain is accessed, the $VAR should be replaced by username automatically. I guess this may be not possible, but I am seeking similar logic.

    Another issue with the per Directory option is that, when new accounts are created on the server, we need to add the Directory tag each time.
     
Loading...

Share This Page