mAurelius Posted March 1, 2014 Share Posted March 1, 2014 I have a VPS using FastCGI (WHM/cPanel). As I understand it, in my configuration with FCGI, open_basedir must be set using a php.ini file in each user's /home/ directory (From what I've read, it won't work to do it in the global httpd.conf or global php.ini). I want to use open_basedir for improved security, as I recently had a hack that involved traversing through different user's directories. I have added this value to a user's home directory php.ini file: open_basedir = /home/USERNAME/public_html:/usr/lib/php:/usr/local/lib/php:/tmp What I want to know is, is there a way to test that this is functioning properly? How do I know if it is enforcing it as it should? Presumably I would want to try and execute a .php file in another user's directory from within that first user...however I don't know of a good way to test this. Any suggestions would be greatly appreciated. Quote Link to comment Share on other sites More sharing options...
requinix Posted March 2, 2014 Share Posted March 2, 2014 Why not just make yourself a test user account, with the settings applied, and see if you can make a script that gets around the restriction. You can save yourself some work by simply verifying that the setting is there and correct and assume that PHP will enforce it. Quote Link to comment Share on other sites More sharing options...
kicken Posted March 2, 2014 Share Posted March 2, 2014 Note that open_basedir won't prevent someone from reading another users files if you still allow things like exec()/system() as they could just use those to get around the restriction. If you are using PHP-FPM one thing you can do is setup a separate pool for each user and set the chroot directive to lock them into their home directory. There wouldn't be any way the user could get around that restriction. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.