open_basedir settings

tinat

New Member
So, just signed up for a VPS yesterday, moved site, and I've been snooping around the WHM to see what magical things I can do now which I couldn't do on shared hosting. :D

I remembered one php setting that I was warned about a couple of years ago when our site (which runs on mambo&smf) got hacked. One of the people from the smf team warned me back then that if open_basedir is not defined in php.ini, it makes remote file execution hacks possible. My host didn't want to change that, so I just lived with it.

But now we're on a VPS, and I have access to my php.ini file. I'm wondering if I should enter something into the open_basedir setting.

If I do, what directory should I point it to? And, in general, what do more experienced php users here think of that, is it a wise idea?
 
Hi tinat, welcome to the KnownHost family :)

In a production enviroment you should do as much as you can to secure your box, specially if you have any plans to offer your space and resources to other people. Every little helps...

As far as I'm aware, the configuration options that cPanel provides is effective to prevent a user from executing or delving outside of his or her own home directory. You don't need to edit the php.ini or httpd.conf files yourself.

You can enable open_basedir by visiting the security center within WHM and then going to PHP open_basedir Tweak.

I hope this answers your question.
 
openbasedir and temporary accounts

In securing my account, I enabled openbasedir. However, when I went to create an account for a domain name that I am not ready to transfer yet, there is no way to access it. You should be able to access it:

myserver.com/~newdomain

Support said I could not access it due to openbasedir and disabled openbasedir.

Is there no way to enable openbasedir and provide access to temporary accounts? In some case, I am not ready to transfer the dns, so I must use a temporary account.
 
In securing my account, I enabled openbasedir. However, when I went to create an account for a domain name that I am not ready to transfer yet, there is no way to access it. You should be able to access it:

myserver.com/~newdomain

Support said I could not access it due to openbasedir and disabled openbasedir.

Is there no way to enable openbasedir and provide access to temporary accounts? In some case, I am not ready to transfer the dns, so I must use a temporary account.

I think you're confusing it with
Apache mod_userdir Tweak

The mod_userdir tweak enables/disables the ability to view sites on your server by typing http://servers.host.name/~username.

And it would be myserver.com/~<username> not domain name :)
 
that's correct

I did mean username not domain. I was unable to access it and support said that was due to openbasedir and they disabled it. So is there anyway to be able to access an account where the dns has not been transferred yet with openbasedir?
 
I did mean username not domain. I was unable to access it and support said that was due to openbasedir and they disabled it. So is there anyway to be able to access an account where the dns has not been transferred yet with openbasedir?

As Dan said, open_basedir is a php.ini configuration directive which has absolutely nothing to do with DNS.
 
So are you saying support is wrong? After they disabled openbasedir, it does in fact work now.

If they are wrong, then how do I access an account by username where the nameservers for the domain name are not yet pointing to the new account?

Step 1: Create new account for a domain name that exists in the real world such as realworlddomain.com. However, we are not ready to point the nameservers to this new account

Step 2: View the new account site by accessing it via IP address and username

This did not work with openbasedir on. After support disabled openbasedir, it now works.
 
So are you saying support is wrong?

I'm saying you seem to be extremely confused, but I suppose that if you're storing PHP files outside the users' home directories then it is possible that having openbasedir on might break any scripts which attempt to include or require them.
 
According to support, when you set up a new domain, it is temporarily located at ip address/username. You either have to point the domain servers to that username or turn off openbasedir.
 
According to support, when you set up a new domain, it is temporarily located at ip address/username. You either have to point the domain servers to that username or turn off openbasedir.

I'd love to see the actual support response that contained this information because it makes no sense whatsoever.
 
According to support, when you set up a new domain, it is temporarily located at ip address/username. You either have to point the domain servers to that username or turn off openbasedir.

I guess they are correct.

Because the VirtualHost running /~users can't access user's home when open_basedir is on since they are restricted to /etc/httpd/htdocs.
 
I guess they are correct.

Because the VirtualHost running /~users can't access user's home when open_basedir is on since they are restricted to /etc/httpd/htdocs.

That would be an extremely unwise configuration decision I'd lump into the "that's what you get" category along with disabling SSH logins and copying and pasting dozens of mod_rewrite directives from some random blog.

It would also only affect PHP scripts, not the ability of the domain or its associated DNS records to function normally.
 
Top