ServerBuddies Support Blog

Cpanel PHP open_basedir Tweak

open_basedir: A feature that uses PHP to prevent users from opening files outside their home directories. This can be enabled using WHM’s PHP open_basedir Tweak feature.

This parameter allows you to limit file operations to a specific directory. Attackers will often attempt to find ways to include local files in PHP scripts to gain information about your server’s filesystem.

The open_basedir tweak prevents users from browsing the file system using PHP. It does this by limiting PHP’s access to the user’s home directory, /tmp, and a few necessary PHP system directories. If you wish to use the open_basedir tweak with a PHP handler other than DSO, you will need to manually specify the open_basedir directive in each user’s php.ini file.

To prevent accounts from accessing foreign files using PHP:

#Click the Enable php open_basedir Protection checkbox at the top of the list.
#Select domains you wish to exclude, disabling protection for their files.
#Click Save.

Cpanel Important PHP options

Most PHP options simply enable an extension that is shipped with PHP.

CGI — This option is enabled by default. Disabling this option will cause a PHP CLI binary to install in /usr/bin/php and /usr/local/bin/php. When no CGI binary is available, your server will be unable to serve PHP requests without DSO.

Concurrent DSO patch — By default, Apache is unable to load libphp4 and libphp5 simultaneously. This option applies a patch to PHP that versions objects in libphp4 and libphp5. This option will also create new Apache directives so that both PHP 4 and 5 can be communicated with separately.

This option is not required if you will serve both versions of PHP via SuPHP, CGI, or FCGID.

Important: Compiled PHP extensions other than those shipped with PHP will not function correctly with this patch enabled. Enabling this module may also render some PECL and PEAR modules nonfunctional. Do not use this module unless you must serve both PHP 4 and 5 as DSOs and can work around other issues it will case.

Reference: http://cpanel.net/

Cpanel Apache options related to PHP

Apache options that directly affect how PHP is served.

* CGI (mod_cgi) — This module is required for Apache to execute CGI scripts. Leave this option enabled. Disabling it will prevent mod_cgi from serving PHP pages.

* CGID (mod_cgid) — This module is only available for Apache 2.x and is required as a replacement for mod_cgi when using threaded MPMs. If you wish to use a threaded MPM, make sure this module is enabled.
* Mod FCGID — This module is only available with Apache 2.x and allows Apache to create and manage FastCGI server processes that remain in memory between HTTP requests. Because any binary capable of using the FastCGI protocol can be managed using this module, you can enable mod_fcgid independently of FastCGI support in PHP. This would, for instance, allow you to serve Ruby via FastCGI.

Referemce : FastCGI documentation - http://www.fastcgi.com/drupal/node/6

Standard PHP extensions

EasyApache has the ability to install, uninstall, and update several popular PHP extensions as part of the build process. When EasyApache runs, it will automatically determine which extensions are active in the main php.ini file at /usr/local/lib/php.ini.

Active extensions will automatically be selected in the EasyApache interface.

Rerunning EasyApache is not required in order to enable or disable the standard PHP extensions. cPanel now provides a tool called

/scripts/phpextensionmgr that can also be used for the installation or removal of PHP extensions.

For detailed information about this tool, run the following command:

Cpanel Apache build Summary

When Apache is rebuilt using EasyApache, the current configuration is processed and stored. After the build process is complete, the new Apache configuration file is processed to yield a new template and add any missing configuration values.

Finally, the previous data stores and the new template are used to generate the completed Apache configuration file.

Reference: http://cpanel.net