open_basedir and Jailed apache
Newbie question :)
open_basedir protection is necessary in jailed apache?
I think it's not and I leave it off by default,
But to be sure, I came to ask you guys!
-
Hello, Could you provide some more information for this question? For instance, is this in reference to a specific type of attack (e.g. symlink attacks)? The following document is useful for general PHP security advice: PHP Security Concepts - cPanel Knowledge Base - cPanel Documentation Thank you. 0 -
Hello Michael, open_basedir Restricts user access to their own directories via PHP. And do the same, but at apache level. So, enable open_basedir protection is necessary when you already use Jailed apache? 0 -
Hello Michael, Thanks for the answer. I wonder if it is necessary to activate the open_basedir when "Jail Apache Virtual Hosts" option is enabled, Taking into account that this option activated generates some php warnings, especially for some Wordpress plugins. And that (Unless I got it wrong) jailed apache already limits user access to its own folder. All my costumers have jailed access to the shell. What worries me are the PHP and CGI scripts. This is an important question for me, because currently I leave the open_basedir disabled and I trust in Jail Apache to limit each user to its own folder. UPDATE: I can test this if you guys do not have the answer to that. I came to ask first because I would like a more trustworthy answer on this subject. 0 -
Hello, The "Jail Apache Virtual Hosts" option limits the user's filesystem view to their /home/virtfs/$USER filesystem, however the option is still considered Experimental so it's not something we can definitively tell you will work in every circumstance. You'd still want to test this out, or consult with a qualified security expert or system administrator to determine if enabling both options could address potential vulnerabilities. Thank you. 0 -
Hello Michael, After many tests, I came to the conclusion that the open_basedir restriction is necessary even with jail apache enabled. Many configuration files and sensitive files on the server are accessible without this restriction. Which can compromise server security. Especially if you are not sure that the files permissions are set correctly. Anyway, open_basedir is an important protection and should be activated even with jail apache enabled. 0
Please sign in to leave a comment.
Comments
6 comments