Open Base Directory & UserDirectory

Hello .

I have a question. I didn’t actually think about this before, I would like to know if Interworx supports open base dir restrictions. If how - how to enable it ( unless already enabled ). I don’t want to see someone somehow gaining access a account on the server, and wiping off other users simply because they can do so.

The Mod_user dir is more about the bandwidth theft issues, however, it’s not that much of a problem.

Interworx executes all PHP scripts as the user that the account is under, so open_basedir really doesn’t help you any at all.

Obviously when the script is running as the account user it carries over those unix permissions, one of those being that it cannot access other user’s directories.

Hope this helps,

Peter

You mean PHPSuexec ? Ie CGI PHP or Mod_PHP4 with some sort of modification ?

I am almost positive that it is PHPSuexec. Hopefully an IWORX member can confirm.

Peter

I am hoping it’s not. It would make it really a bad idea for me as for performance PHPSuexec is simply too slow.

Actually, php scripts run via mod_php4 are run as apache. PHP scripts run as CGIs are run as the user (via suexec). open_basedir can be turned on manually by adding the open_basedir directives to the conf files under /etc/httpd/conf.d/<domain>.conf.

Chris

Do you have plans to let people enable this openbase dir option globally ? I saw in another thread that you were worried about bugs in the module. I’m not sure how accurate that assessment is. We’ve been using that option for two years now on our fleet of Cpanel Servers. No problems. For my Interworx server, it doesn’t matter if I have to add this feature in manually.

Do you have plans for a FastCGI or PerChild module ? I personally favour the fastCGI module. It’s got the security of the CGI PHP , and the speed of Mod_PHP. Last time I used it - it was a little buggy.

We do have plans for open_basedir / safe_mode as your other post asked, they will be in there.

We’re investigating fastcgi and the apache per-child MPM appears dead unfortunatley :(.

Chris

I’m not sure about the perchild module, but I’m pretty sure that Fast CGI is still alive and kicking. It’s demand is huge in applications like Zeus webservers, and IIS PHP. To make PHP work consitently in a good production enviornment, FastCGI is the only option.

Or did you mean InterWorx development of those as possible features ?

Just realised what you meant. ^.^ MPM is dead ^.^ Sorry about that. English isn’t my first language.

And what about the Metux MPM ?

It seems that it is more advanced than the perchild MPM, which is faulty and seems to be die.

Metux MPM reach to a stable release.

AnyBody did try it ?

Pascal

unfortunatly, it is not enough.

With curl or oracle lib a user may gain access to all your data even if there is open basedir and/or safe mod enable.

Ok, it is surely better than nothing :slight_smile:

I think that the best solution, from a security point of view, should be to run php with FASTcgi or something as perchild, or maybe have a proxy front end and run multiple instances of apache on different port (but it is not so easy to implement in virtualhosting)

Pascal