open_basedir

hey, i'm trying to get open_basedir to work on my virtualmin

if i add php_admin_value open_basedir "/home/testing/public_html" in the vhost.conf for the domain, it does nothing

if i in default server template under apache set PHP configuration variables for scripts open_basedir exactly ${HOME}/public_html

doesn't do anything either.... so is there a way to get this working and preferentially for all automatic ?

Status: 
Active

Comments

Howdy -- using "php_admin_value open_basedir" would only work if the domain was configured to use mod_php as it's PHP Execution Mode. That's not the default though.

Let's start here -- if you edit "/home/testing/etc/php.ini", and add your "open_basedir" line into there, does that work correctly for your test domain?

yes that works fine, but i want it to be a place, where the user didn't have access to edit it.

If you wanted to use mod_php, you could go into Server Configuration -> Website Options, and change it to use mod_php there. Then, you could add PHP settings to the Apache config.

Alternatively, if you wanted to continue using FCGID or CGI, you could place the open_basedir settings you want in $HOME/etc/php.ini, and then lock the file by running "chattr +i" on it, which would prevent normal modifications from being made to it by either the user or as root.

You'd need to first run "chattr -i" on the php.ini before it could be changed again.

thanx... i wanna keep running FCGID but there is no way to make it so, that webmin/virtualmin still can do its edits on it but the user can't delete/upload to it though ftp ?

also where do i edit so it comes in default on new servers in the php.ini ?

i wanna keep running FCGID but there is no way to make it so, that webmin/virtualmin still can do its edits on it but the user can't delete/upload to it though ftp

Unfortunately, it's not possible to lock it down from FTP, and still allow edits through Virtualmin.

You could lock it down completely by using mod_php, or setting it as immutable with the chattr command... if you don't do that though, a user can make edits using both FTP and Virtualmin.

also where do i edit so it comes in default on new servers in the php.ini

On Debian, the file /etc/php5/cgi/php.ini is used as a template when a new Virtual Server is created.

You can use some variables in that file, such as ${HOME} -- those variables will be interpolated when the Virtual Server is setup.

thanx for the info... i hope open_basedir can be a default part of virtualmin security setup in the future when running in FCID mode.

i will have to do with the chattr +i mode then. now i just need to make a little shell script to set it for all current users then ;)