While suPHP has various security enhancements over DSO PHP such as running processes as the user rather than nobody as well as only allowing 755 folder and 644 file permissions, the option to allow individual php.ini files is a glaring security concern.
There are several methods that can be used to disallow users to have their own php.ini files under suPHP. The path you take will depend on whether you want to allow users to have their own in some circumstances or to restrict all accounts on the server to the global php.ini file at /usr/local/lib/php.ini location.
Restrict all accounts to the global php.ini file
To restrict all accounts to the global php.ini file, you would edit the /opt/suphp/etc/suphp.conf file:
Uncomment these lines:
Code:
[phprc_paths] ;Uncommenting these will force all requests to that handler to use the php.ini ;in the specified directory regardless of suPHP_ConfigPath settings. ;application/x-httpd-php=/usr/local/lib/ ;application/x-httpd-php4=/usr/local/php4/lib/ ;application/x-httpd-php5=/usr/local/lib/
Code:
[phprc_paths] ;Uncommenting these will force all requests to that handler to use the php.ini ;in the specified directory regardless of suPHP_ConfigPath settings. application/x-httpd-php=/usr/local/lib/ application/x-httpd-php4=/usr/local/php4/lib/ application/x-httpd-php5=/usr/local/lib/
If you have PHP 5.3+ and want to allow some accounts to have their own php.ini file
If you have restricted all accounts globally to the /usr/local/lib/php.ini file and want to have one or more accounts bypass the restriction, this is possible under PHP 5.3 using the global php.ini itself.
Method One: Allowing individual user_ini files
In /usr/local/lib/php.ini file, put the following line:
Code:
user_ini.filename = .my.ini
In the .my.ini file, you would be able to put only the changes you want to have such as register_globals = On for that account. Of note, only the PHP_INI_PERDIR and PHP_INI_USER directives are allowed in this file. Any PHP_INI_SYSTEM directives will not be changeable there.
Method Two: Putting individual user settings into the global php.ini file
This is the better method in my opinion. At the bottom of /usr/local/lib/php.ini file, you can actually define individual user php.ini directives with the path to that user's application:
Code:
[PATH=/home/username/public_html] register_globals=On post_max_size=5000M
Under Method One for the user_ini file, the user does have the ability to themselves modify directives in their .my.ini file on the account. Under Method Two for the global php.ini user path directives, only the administrator of the machine could modify the directives. Of note, anyone can create their own user_ini file under Method One, but they would need to know the name in the global php.ini to do so (since you can call the file anything, so it could be called .guessme.ini instead and users aren't then likely to know the name to bypass restrictions).
If you are using PHP 5.2 or earlier (PHP 5 only, not tested on PHP 4 nor guaranteed to work on PHP 4)
If you are not using PHP 5.3, then the prior methods will not work. This then leads instead to the more complicated option to allow some users to have their own php.ini file and some users to be restricted to the global php.ini file.
Under this method, you cannot have the phprc_paths uncommented, so you must have them commented out. As such, you would need to ensure /opt/suphp/etc/suphp.conf looks like the following for that area:
Code:
[phprc_paths] ;Uncommenting these will force all requests to that handler to use the php.ini ;in the specified directory regardless of suPHP_ConfigPath settings. ;application/x-httpd-php=/usr/local/lib/ ;application/x-httpd-php4=/usr/local/php4/lib/ ;application/x-httpd-php5=/usr/local/lib/
1. Restrict all users to the global php.ini
Create the following directory:
Code:
mkdir -p /usr/local/apache/conf/userdata
Code:
cd /usr/local/apache/conf/userdata vi suphp_config.conf
Code:
suPHP_ConfigPath /usr/local/lib
2. Allowing one user to have an individual php.ini
Create the following directories:
Code:
mkdir -p /usr/local/apache/conf/userdata/std/2/username
In that location, create the file:
Code:
cd /usr/local/apache/conf/userdata/std/2/username vi suphp_config.conf
Code:
suPHP_ConfigPath /home/username/
3. Adding additional directories
Further directories can be allowed on the user's account who is being allowed to have a php.ini file. If you change the entry to this in
/usr/local/apache/conf/userdata/std/2/username/suphp_config.conf location:
Code:
suPHP_ConfigPath /home/username/{public_html}/{folder1,folder2}
4. Checking the changes into httpd.conf
Create a backup of Apache in case you need to revert to it:
Code:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak100902
Now, run the following command to verify the includes:
Code:
/scripts/verify_vhost_includes
Code:
/scripts/ensure_vhost_includes --all-users
Code:
/scripts/rebuildhttpdconf /etc/init.d/httpd restart
1. mod_userdir exception
mod_userdir will bypasses the suPHP_ConfigPath restriction for the global php.ini file. If you have a user with the following url type:
http://hostname/~username/
That url will allow any php.ini files or suPHP_ConfigPath set into .htaccess to parse under mod_userdir. This is unwanted behavior, and the only current way I'm aware to prevent it would be to disable mod_userdir on such a system.
2. New accounts aren't restricted
Any accounts created after you have locked users into the global php.ini file using the
Code:
/scripts/ensure_vhost_includes --all-users /etc/init.d/httpd restart
Defining the suPHP_ConfigPath line in the VirtualHost entry in httpd.conf does not restrict the account to using that path if the
REFERENCES
http://forums.cpanel.net/f185/methods-increase-security-suphp-restricting-who-can-use-php-ini-files-167186.html
