Jump to content


Photo

How to test if open_basedir restriction is correctly enforced

php open_basedir apache linux whm

  • Please log in to reply
2 replies to this topic

#1 mAurelius

mAurelius

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 01 March 2014 - 04:19 PM

I have a VPS using FastCGI (WHM/cPanel). As I understand it, in my configuration with FCGI, open_basedir must be set using a php.ini file in each user's /home/ directory (From what I've read, it won't work to do it in the global httpd.conf or global php.ini). 
 
I want to use open_basedir for improved security, as I recently had a hack that involved traversing through different user's directories.
 
I have added this value to a user's home directory php.ini file:
open_basedir = /home/USERNAME/public_html:/usr/lib/php:/usr/local/lib/php:/tmp
 
What I want to know is, is there a way to test that this is functioning properly? How do I know if it is enforcing it as it should? Presumably I would want to try and execute a .php file in another user's directory from within that first user...however I don't know of a good way to test this. Any suggestions would be greatly appreciated. 


#2 requinix

requinix

    Transforming Moderator

  • Moderators
  • 6,127 posts
  • LocationWA

Posted 01 March 2014 - 11:39 PM

Why not just make yourself a test user account, with the settings applied, and see if you can make a script that gets around the restriction. You can save yourself some work by simply verifying that the setting is there and correct and assume that PHP will enforce it.

#3 kicken

kicken

    Wiser? Not exactly.

  • Gurus
  • 2,709 posts
  • LocationBonita, FL

Posted 01 March 2014 - 11:56 PM

Note that open_basedir won't prevent someone from reading another users files if you still allow things like exec()/system() as they could just use those to get around the restriction.

If you are using PHP-FPM one thing you can do is setup a separate pool for each user and set the chroot directive to lock them into their home directory. There wouldn't be any way the user could get around that restriction.
Recycle your old CD's, don't trash them!
Did I help you out?  Feeling generous? I accept tips via Paypal or Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com