open_basedir settings

Discussion in 'Linux VPS/Dedicated - cPanel' started by tinat, Nov 2, 2007.

  1. tinat

    tinat New Member

    So, just signed up for a VPS yesterday, moved site, and I've been snooping around the WHM to see what magical things I can do now which I couldn't do on shared hosting. :D

    I remembered one php setting that I was warned about a couple of years ago when our site (which runs on mambo&smf) got hacked. One of the people from the smf team warned me back then that if open_basedir is not defined in php.ini, it makes remote file execution hacks possible. My host didn't want to change that, so I just lived with it.

    But now we're on a VPS, and I have access to my php.ini file. I'm wondering if I should enter something into the open_basedir setting.

    If I do, what directory should I point it to? And, in general, what do more experienced php users here think of that, is it a wise idea?
     
  2. NeilHerbert

    NeilHerbert YummyHost

    Hi tinat, welcome to the KnownHost family :)

    In a production enviroment you should do as much as you can to secure your box, specially if you have any plans to offer your space and resources to other people. Every little helps...

    As far as I'm aware, the configuration options that cPanel provides is effective to prevent a user from executing or delving outside of his or her own home directory. You don't need to edit the php.ini or httpd.conf files yourself.

    You can enable open_basedir by visiting the security center within WHM and then going to PHP open_basedir Tweak.

    I hope this answers your question.
     
  3. tinat

    tinat New Member

    Genius! Didn't see that! Thanks loads!

    So simple!! :)
     
  4. cookie

    cookie Alien

    I thought it was enabled by default!
     
  5. laguna

    laguna New Member

    openbasedir and temporary accounts

    In securing my account, I enabled openbasedir. However, when I went to create an account for a domain name that I am not ready to transfer yet, there is no way to access it. You should be able to access it:

    myserver.com/~newdomain

    Support said I could not access it due to openbasedir and disabled openbasedir.

    Is there no way to enable openbasedir and provide access to temporary accounts? In some case, I am not ready to transfer the dns, so I must use a temporary account.
     
  6. Dan

    Dan Moderator

    I think you're confusing it with
    And it would be myserver.com/~<username> not domain name :)
     
  7. laguna

    laguna New Member

    that's correct

    I did mean username not domain. I was unable to access it and support said that was due to openbasedir and they disabled it. So is there anyway to be able to access an account where the dns has not been transferred yet with openbasedir?
     
  8. khiltd

    khiltd New Member

    As Dan said, open_basedir is a php.ini configuration directive which has absolutely nothing to do with DNS.
     
  9. laguna

    laguna New Member

    So are you saying support is wrong? After they disabled openbasedir, it does in fact work now.

    If they are wrong, then how do I access an account by username where the nameservers for the domain name are not yet pointing to the new account?

    Step 1: Create new account for a domain name that exists in the real world such as realworlddomain.com. However, we are not ready to point the nameservers to this new account

    Step 2: View the new account site by accessing it via IP address and username

    This did not work with openbasedir on. After support disabled openbasedir, it now works.
     
  10. khiltd

    khiltd New Member

    I'm saying you seem to be extremely confused, but I suppose that if you're storing PHP files outside the users' home directories then it is possible that having openbasedir on might break any scripts which attempt to include or require them.
     
  11. laguna

    laguna New Member

    According to support, when you set up a new domain, it is temporarily located at ip address/username. You either have to point the domain servers to that username or turn off openbasedir.
     
  12. khiltd

    khiltd New Member

    I'd love to see the actual support response that contained this information because it makes no sense whatsoever.
     
  13. stormrider

    stormrider New Member

    I guess they are correct.

    Because the VirtualHost running /~users can't access user's home when open_basedir is on since they are restricted to /etc/httpd/htdocs.
     
  14. khiltd

    khiltd New Member

    That would be an extremely unwise configuration decision I'd lump into the "that's what you get" category along with disabling SSH logins and copying and pasting dozens of mod_rewrite directives from some random blog.

    It would also only affect PHP scripts, not the ability of the domain or its associated DNS records to function normally.
     

Share This Page