PHP open_basedir Tweak

For WHM version 11.30

(WHM >> Security Center >> PHP open_basedir Tweak)

The open_basedir tweak prevents users from browsing the file system using PHP. It does this by limiting PHP's access to the user's home directory, /tmp, and a few necessary PHP system directories. If you wish to use the open_basedir tweak with a PHP handler other than DSO, you will need to manually specify the open_basedir directive in each user's php.ini file.

To prevent accounts from accessing foreign files using PHP:

1. Click the Enable php open_basedir Protection checkbox at the top of the list.
2. Select domains you wish to exclude, disabling protection for their files.
3. Click Save.

How does it work?

PHP admin directives for open_basedir are added to each Virtual Host in httpd.conf. These directives limit users' access via PHP to only the following directories:

• /usr/lib/php
• /usr/local/lib/php
• /tmp
• if php 4 is compiled into Apache, /usr/php4/lib/php and /usr/local/php4/lib/php

Caveats

This security tweak modifies the Apache configuration file, regardless of the PHP handler currently selected. Apache configuration file directives for PHP only take effect if the DSO handler is selected. If PHP is configured to run as a CGI, suPHP, or FastCGI process, you must manually specify the open_basedir directive in the appropriate php.ini file. Each user will need his or her own php.ini file when using a PHP handler other than DSO.

See Also

• Configuring PHP (Apache PHP Request Handling)?
• PHP Hardening?
• Editing your php.ini file