How PHP open_basedir works ?
PHP admin directives for open_basedir are added to each Virtual Host in httpd.conf. These directives limit users’ access via PHP to only the following directories:
/usr/lib/php
/usr/local/lib/php
/tmp
if php 4 is compiled into Apache, /usr/php4/lib/php and /usr/local/php4/lib/php
Tags: open_basedir, PHP
Cpanel PHP open_basedir Tweak
open_basedir: A feature that uses PHP to prevent users from opening files outside their home directories. This can be enabled using WHM’s PHP open_basedir Tweak feature.
This parameter allows you to limit file operations to a specific directory. Attackers will often attempt to find ways to include local files in PHP scripts to gain information about your server’s filesystem.
(WHM >> Security Center >> PHP open_basedir Tweak)
The open_basedir tweak prevents users from browsing the file system using PHP. It does this by limiting PHP’s access to the user’s home directory, /tmp, and a few necessary PHP system directories. If you wish to use the open_basedir tweak with a PHP handler other than DSO, you will need to manually specify the open_basedir directive in each user’s php.ini file.
To prevent accounts from accessing foreign files using PHP:
#Click the Enable php open_basedir Protection checkbox at the top of the list.
#Select domains you wish to exclude, disabling protection for their files.
#Click Save.
Tags: cpanel, open_basedir, PHP, Tweak
Php Hardening option allow_url_fopen and allow_url_include
Set
Disabling this option prevents attackers from opening remote files from your server via file inclusion vulnerabilities.
Set
Disabling this option prevents attackers from including remote files from your server via file inclusion vulnerabilities.
Tags: allow_url_fopen, allow_url_include, Hardening, PHP
PHP Checklist Parameter disable_functions
Values: A comma-separated list of functions to disable.
This parameter takes a comma-separated list of PHP functions you wish to disable. You will likely want to disable most or all of the PHP functions that have the ability to execute code remotely. You should take the time to talk to your developers and have them standardized on a particular function for shell operations as well.
Example:
disable_functions = dl,system,exec,passthru,shell_exec
Tags: Checklist, disable_functions, parameter, PHP
Editing Your php.ini File
Cpanel server’s php.ini file is located at /usr/local/lib/php.ini. Cpanel strongly recommend using WHM’s PHP Configuration Editor feature (Main >> Service Configuration >> PHP Configuration Editor) to edit PHP’s configuration file.
You must access the Advanced Configuration Editor to change many of the settings.
Example:
safe_mode
Safe mode attempts to solve many of the problems associated with using PHP in a shared hosting environment.
It checks the user ID (UID) of the PHP script and the files and directories it attempts to access. If the UIDs do not match, the script will not be allowed to access the requested file or directory.
note
Note: This feature is deprecated as of PHP 5.3.0.
Reference: http://cpanel.net/
Tags: editing, file, php.ini