Submitted by skelgaard on Sun, 10/21/2012 - 09:21 Pro Licensee
hey, i'm trying to get open_basedir to work on my virtualmin
if i add php_admin_value open_basedir "/home/testing/public_html" in the vhost.conf for the domain, it does nothing
if i in default server template under apache set PHP configuration variables for scripts open_basedir exactly ${HOME}/public_html
doesn't do anything either.... so is there a way to get this working and preferentially for all automatic ?
Status:
Active
Comments
Submitted by andreychek on Sun, 10/21/2012 - 10:26 Comment #1
Howdy -- using "php_admin_value open_basedir" would only work if the domain was configured to use mod_php as it's PHP Execution Mode. That's not the default though.
Let's start here -- if you edit "/home/testing/etc/php.ini", and add your "open_basedir" line into there, does that work correctly for your test domain?
Submitted by skelgaard on Sun, 10/21/2012 - 10:30 Pro Licensee Comment #2
yes that works fine, but i want it to be a place, where the user didn't have access to edit it.
Submitted by andreychek on Sun, 10/21/2012 - 21:00 Comment #3
If you wanted to use mod_php, you could go into Server Configuration -> Website Options, and change it to use mod_php there. Then, you could add PHP settings to the Apache config.
Alternatively, if you wanted to continue using FCGID or CGI, you could place the open_basedir settings you want in $HOME/etc/php.ini, and then lock the file by running "chattr +i" on it, which would prevent normal modifications from being made to it by either the user or as root.
You'd need to first run "chattr -i" on the php.ini before it could be changed again.
Submitted by skelgaard on Mon, 10/22/2012 - 02:30 Pro Licensee Comment #4
thanx... i wanna keep running FCGID but there is no way to make it so, that webmin/virtualmin still can do its edits on it but the user can't delete/upload to it though ftp ?
also where do i edit so it comes in default on new servers in the php.ini ?
Submitted by andreychek on Mon, 10/22/2012 - 11:22 Comment #5
i wanna keep running FCGID but there is no way to make it so, that webmin/virtualmin still can do its edits on it but the user can't delete/upload to it though ftp
Unfortunately, it's not possible to lock it down from FTP, and still allow edits through Virtualmin.
You could lock it down completely by using mod_php, or setting it as immutable with the chattr command... if you don't do that though, a user can make edits using both FTP and Virtualmin.
also where do i edit so it comes in default on new servers in the php.ini
On Debian, the file /etc/php5/cgi/php.ini is used as a template when a new Virtual Server is created.
You can use some variables in that file, such as ${HOME} -- those variables will be interpolated when the Virtual Server is setup.
Submitted by skelgaard on Mon, 10/22/2012 - 13:05 Pro Licensee Comment #6
thanx for the info... i hope open_basedir can be a default part of virtualmin security setup in the future when running in FCID mode.
i will have to do with the chattr +i mode then. now i just need to make a little shell script to set it for all current users then ;)