How PHP open_basedir works ?

PHP admin directives for open_basedir are added to each Virtual Host in httpd.conf. These directives limit users’ access via PHP to only the following directories:

/usr/lib/php
/usr/local/lib/php
/tmp
if php 4 is compiled into Apache, /usr/php4/lib/php and /usr/local/php4/lib/php

Cpanel PHP open_basedir Tweak

open_basedir: A feature that uses PHP to prevent users from opening files outside their home directories. This can be enabled using WHM’s PHP open_basedir Tweak feature.

This parameter allows you to limit file operations to a specific directory. Attackers will often attempt to find ways to include local files in PHP scripts to gain information about your server’s filesystem.

(WHM >> Security Center >> PHP open_basedir Tweak)

The open_basedir tweak prevents users from browsing the file system using PHP. It does this by limiting PHP’s access to the user’s home directory, /tmp, and a few necessary PHP system directories. If you wish to use the open_basedir tweak with a PHP handler other than DSO, you will need to manually specify the open_basedir directive in each user’s php.ini file.

To prevent accounts from accessing foreign files using PHP:

#Click the Enable php open_basedir Protection checkbox at the top of the list.
#Select domains you wish to exclude, disabling protection for their files.
#Click Save.

Php Hardening option allow_url_fopen and allow_url_include

Set

allow_url_fopen Off

Disabling this option prevents attackers from opening remote files from your server via file inclusion vulnerabilities.

Set

allow_url_include Off

Disabling this option prevents attackers from including remote files from your server via file inclusion vulnerabilities.

PHP Checklist Parameter disable_functions

Values
: A comma-separated list of functions to disable.

This parameter takes a comma-separated list of PHP functions you wish to disable. You will likely want to disable most or all of the PHP functions that have the ability to execute code remotely. You should take the time to talk to your developers and have them standardized on a particular function for shell operations as well.

Example:

disable_functions = dl,system,exec,passthru,shell_exec

Editing Your php.ini File

Editing Your php.ini File

Cpanel server’s php.ini file is located at /usr/local/lib/php.ini. Cpanel strongly recommend using WHM’s PHP Configuration Editor feature (Main >> Service Configuration >> PHP Configuration Editor) to edit PHP’s configuration file.

You must access the Advanced Configuration Editor to change many of the settings.

Example:

safe_mode

Safe mode attempts to solve many of the problems associated with using PHP in a shared hosting environment.
It checks the user ID (UID) of the PHP script and the files and directories it attempts to access. If the UIDs do not match, the script will not be allowed to access the requested file or directory.
note

Note: This feature is deprecated as of PHP 5.3.0.

Reference: http://cpanel.net/

« Prev - Next »