Symptoms
When using PHP, the system upload path will always be "/tmp" in many instances. This can even be observed after changing the upload_tmp path in a php.ini file.
Description
PHP uses a system variable to determine the upload path. By default, this is usually configured to "/tmp". The normal workflow is that the file is uploaded to "/tmp" and then moved into the desired upload path for a website. However, if you need to change this path, specific steps need to be performed depending on the situation.
If Mod Security vendor rules for ConfigServer are installed, it could also restrict where files are uploaded.
Workaround
Note: You should consult with a certified administrator to ensure no downtime or issues occur. A text editor like vi, vim, nano would be required to edit the below YAML file as root.
Review the ConfigServer CXS ( Exploit Scanner ) Mod Security Vendor rules if installed. Usually, the configuration file contains the below entries:
- File path: /etc/apache2/conf.d/modsec_vendor_configs/configserver/00_configserver.conf
This security option is designed around making sure file uploads are in a centralized location. CXS will then scan the files for viruses and malware during the upload.
# cxs web script scanning
SecRequestBodyAccess On
SecUploadKeepFiles RelevantOnly
SecTmpDir /tmp
SecUploadDir /tmp
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
"log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101',msg:'ConfigServer Exploit
Scanner (cxs) triggered'"
It is best to reach out to the ConfigServer Support Team to determine if the scan option can be tuned to support custom upload paths. This issue is unrelated to the standard functionality and options provided by the cPanel software. ConfigServer CXS ( Exploit Scanner ) is a 3rdparty software.
* Scanning uploads will need to be disabled to use custom upload paths. If you want to disable this option, follow the below steps in WHM.
- Login to WHM
- Navigate to Home »Security Center »ModSecurity™ Vendors »Manage Vendors
- Click the toggle to the Off position for ConfigServer rules
- For PHP-FPM, you will need to edit the PHP-FPM YAML file to apply this change to the FPM pool configuration.
1. Identity the YAML file which controls the domain in question. cPanel stores these files at the below path:
/var/cpanel/userdata/CPUSER/DOMAIN.com.php-fpm.yaml
In this example, note the following information:
- CPUSER is the cPanel username of the account
- DOMAIN is the domain that utilizes PHP-FPM that you wish to change
2. Add the following line to the file on a new line after "_is_present: 1":
php_admin_value_sys_temp_dir: { name: 'php_admin_value[sys_temp_dir]', value: "/home/CPUSER/DESIRED_PATH_TO_UPLOAD" }
- CPSUER is the cPanel username of the account
- DESIRED_PATH_TO_UPLOAD is the path you wish to use for uploads
3. After the changes have been saved, rebuild the PHP-FPM configurations to apply the change.
/scripts/php_fpm_config --rebuild
- For users NOT using PHP-FPM apply this change in the MultiPHPINI Editor
1. Log in to cPanel for the account
2. Navigate to MultiPHP INI Editor
3. Edit PHP settings for document root or home directory
4. Select Editor Mode
5. Add the below line:
sys_temp_dir = "/home/CPSUER/DESIRED_PATH_TO_UPLOAD"
- CPSUER is the cPanel username of the account
- DESIRED_PATH_TO_UPLOAD is the path you wish to use for uploads
Click SAVE, and you are all set.
If you are interested in more information concerning how cPanel manages PHP-FPM pool settings or how these settings are defined, see the below documentation page.