open_basedir protection
Contrary to what PHP open_basedir Tweak - Documentation - cPanel Documentation says
when you enable or disable Home "Security Center "PHP open_basedir Tweak
no changes are made to any files.
One would expect changes to be written to /etc/apache2/conf/httpd.conf.
I can see the timestamp change on the file but perfoming a diff on
/etc/apache2/conf/httpd.conf and a previously saved file shows no difference.
Running
CENTOS 7.2 x86_64 virtuozzo " WHM 58.0 (build 20)
-
From your other thread I believe you're using suPHP? cPanelMichael will correct me if I'm wrong but I believe PHP open_basedir tweak has no effect under suphp (as the relevant value can by default be changed per user in their php.ini file) 0 -
I know that under mod_cgid you must change the setting in php.ini for each PHP version you run. Right now I've disabled it because it causes issues all over the place, composer is an example, and I'm pressed for time. 0 -
From your other thread I believe you're using suPHP? cPanelMichael will correct me if I'm wrong but I believe PHP open_basedir tweak has no effect under suphp (as the relevant value can by default be changed per user in their php.ini file)
Thanks for your note. The only working solution I have is to use suphp and place php.ini in the public_html with open_basedir specified. While I prefer to use cgi, suphp is the only solution I have that works. The PHP open_basedir Tweak has no affect on or off, both in cgi and in suphp.0 -
/usr/local/cpanel/bin/rebuild_phpconf --current
This is what I have DEFAULT PHP: ea-php56 ea-php56 SAPI: cgi I also created a custom profile, to remove PHP 5.5 and PHP7 I { "desc" : "Auto Generated profile", "pkgs" : [ "ea-apache24", "ea-apache24-config", "ea-apache24-config-runtime", "ea-apache24-mod_bwlimited", "ea-apache24-mod_cgid", "ea-apache24-mod_deflate", "ea-apache24-mod_expires", "ea-apache24-mod_headers", "ea-apache24-mod_mpm_worker", "ea-apache24-mod_proxy", "ea-apache24-mod_proxy_fcgi", "ea-apache24-mod_proxy_http", "ea-apache24-mod_security2", "ea-apache24-mod_ssl", "ea-apache24-mod_suexec", "ea-apache24-mod_suphp", "ea-apache24-mod_unique_id", "ea-apache24-tools", "ea-apr", "ea-apr-util", "ea-cpanel-tools", "ea-documentroot", "ea-libmcrypt", "ea-php-cli", "ea-php56", "ea-php56-build", "ea-php56-libc-client", "ea-php56-pear", "ea-php56-php-bcmath", "ea-php56-php-bz2", "ea-php56-php-calendar", "ea-php56-php-cli", "ea-php56-php-common", "ea-php56-php-curl", "ea-php56-php-dba", "ea-php56-php-enchant", "ea-php56-php-exif", "ea-php56-php-fileinfo", "ea-php56-php-fpm", "ea-php56-php-ftp", "ea-php56-php-gd", "ea-php56-php-gettext", "ea-php56-php-gmp", "ea-php56-php-iconv", "ea-php56-php-imap", "ea-php56-php-intl", "ea-php56-php-ioncube", "ea-php56-php-ldap", "ea-php56-php-mbstring", "ea-php56-php-mcrypt", "ea-php56-php-mysqlnd", "ea-php56-php-odbc", "ea-php56-php-pdo", "ea-php56-php-posix", "ea-php56-php-process", "ea-php56-php-pspell", "ea-php56-php-snmp", "ea-php56-php-soap", "ea-php56-php-sockets", "ea-php56-php-xml", "ea-php56-php-xmlrpc", "ea-php56-php-zendguard", "ea-php56-php-zip", "ea-php56-runtime" ], "name" : "PHP 56.json", "version" : "1.0", "tags" : [ "Apache 2.4", "PHP 5.6" ] }0 -
While I prefer to use cgi, suphp is the only solution I have that works. The PHP open_basedir Tweak has no affect on or off, both in cgi and in suphp.
Hello, The following document is helpful here: PHP open_basedir Tweak - Documentation - cPanel Documentation Per this document: Note: This security tweak modifies the Apache configuration file, regardless of the0 -
There is actually another option here, outlined by cPTristan now a fair amount of time ago in the thread at Methods to Increase Security on suPHP - Restricting who can use php.ini files If you don't want users to have their own individual php.ini files under suphp you can disable this per his instructions and then specify the open basedir path restrictions in the main php.ini for each user / user app. It's not ideal, but it works. 0
Please sign in to leave a comment.
Comments
7 comments