any need for open_basedir paths with php selector and cagefs
Forum
  1. Forums
  2. General
  3. General Discussion
  1. John MacKenzie
  2. Wednesday, 20 March 2013
  3.  Subscribe via email
Hi Guys
is there any reason i need to keep my current openbasdir directives in the alternate versions of php.ini after installing cagefs and php selector?
such as
/home/:/usr/local/lib/php:/tmp:/usr/bin/gzip:/var/cpanel/rvglobalsoft/rvsitebuilder:/usr/local/IonCube
Thanks
John
Rate this post:
  1. 21.03.2013 10:03:51
  2. # 1
John MacKenzie Accepted Answer
Posts: 14
Joined: 02.04.2011
0
Votes
Undo
also wondering why open_basedir is listed as an option a user can change in their php selector otpions? does this not post a potential security risk?
  1. 25.03.2013 10:03:34
  2. # 2
Igor Seletskiy Accepted Answer
Posts: 1200
Joined: 09.02.2010
0
Votes
Undo
John,

That is because PHP Selector works only inside CageFS. And inside CageFS users are free to roam and explore -- there is no sensitive info anywhere.
And also because open_basedir is fake sense of security which I wish more people would understand. It is so easy to circumvent on most shared hosting platforms that its presence does exactly nothing.
Of course if you don't like your customers being able to change it, remove it:
http://docs.cloudlinux.com/index.html?custom_php_ini_options.html
  1. 10.11.2013 15:11:10
  2. # 3
Mike Tindor Accepted Answer
Posts: 35
Joined: 08.11.2013
0
Votes
Undo
Hi Igor,

Do I understand this correctly?

  • If CloudLinux + CageFS is installed (suPHP / suexec environment) and CageFS is enabled for all users, then all PHP/CGI requests (suPHP / suexec) are processed through the users' cage
  • For caged users, it doesn't matter if open_basedir is set or not, since PHP processes will not be able to break out of /home/

Is this correct?    Or is it still recommended to set per-user restrictive open_basedir in PHP.ini (PHP 5.3+) as an added safety measure?

Mike
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.