Disabling open_basedir per user with CLI

xfactor5

• September 08, 2017 02:47

Hi, I searched everywhere and could not find anything. I have to disable open_basedir protection per user via command line or some other way that can be used inside our API in a programmatic way. I don't want to disable it completely for everyone due to security reasons. I also checked WHM API, but there is no open_basedir function there. Is there a method for doing this with CLI or some other way that can be used programmatically? Thanks

• 

  cPanelMichael

  • September 12, 2017 14:53

  Hello, Can you verify which PHP handler is enabled for the account you want to disable it on? You can check to see which PHP handler is enabled via "WHM >> MultiPHP INI Manager". Thank you.

  0
• 

  xfactor5

  • September 13, 2017 14:45

  Hi, It's not one specific account. We must do it for many accounts programmatically. But anyway we would use eaphp71 (our code base is PHP 7.1) and the web server is LiteSpeed. Every time a new website is made with our site builder, we create a Cpanel account and that account loads our CMS's PHP files from one master Cpanel account to prevent lots of identical copies. We trust our own code, but the problem is that we if disable it server wide, security would be compromised by some accounts that use 3rdparty scripts like our forum. Therefore, we must disable openbase_dir for each user after we create a new account with WHM API. Regards

  0
• 

  cPanelMichael

  • September 13, 2017 18:07

  Hello, The "open_basedir" directive is manually added to the php.ini file (unless you are using the DSO handler), so you'd setup a script that adds a custom open_basedir entry to an account's php.ini file upon creation. Here's a UAPI function you can use to edit an account's php.ini file: UAPI Functions - LangPHP::php_ini_set_user_content - Software Development Kit - cPanel Documentation Thank you.

  0
• 

  xfactor5

  • September 14, 2017 10:47

  Hi, It does not work, it's like it has no effect. And I am not surprised because it should not work with UAPI and users CPanel account! If any user can disable openbase_dir from their control panels, this would be a huge security risk because it means anyone can access files server wide just by adding a few directives. The openbase_dir tweak is part of WHM not Cpanel and therefore if there is gonna be an API, it must be in WHM API not UAPI. Any other solutions? I don't want to mess with http.conf! Thanks

  0
• 

  cPanelMichael

  • September 14, 2017 17:41

  Hello, Can you browse to "WHM >> MultiPHP Manager" and verify if PHP-FPM is enabled for any of your domain names? Also, please post the output from the following command:
  /usr/local/cpanel/bin/rebuild_phpconf --current
  Thank you.

  0
• 

  xfactor5

  • September 15, 2017 07:38

  Hi, No, it's not enabled. We use LiteSpeed and as far as I remember it has it's own LSAPI which is faster than PHP-FPM. The output: DEFAULT PHP: ea-php56 ea-php54 SAPI: suphp ea-php55 SAPI: suphp ea-php56 SAPI: suphp ea-php70 SAPI: suphp ea-php71 SAPI: suphp But we mostly use PHP 7.1 and we are planning to make it default. Thanks

  0
• 

  cPanelMichael

  • September 19, 2017 18:17

  Hello, I believe this works differently when you use LiteSpeed. Here's a LiteSpeed blog post that you may find helpful: Switching from Apache: Open_Basedir in the Shared Hosting Environment Additionally, there's a thread here you may want to review as well: [Solved] LSCache issue when disabling user Let us know if this helps. Thank you.

  0

Please sign in to leave a comment.