• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Customer | change PHP open_basedir

Elompenta

Regular Pleskian
Ist there any configuration available that a user can change his own PHP Settings, but NOT open_basedir settings over Plesk Backend and .htaccess php_admin_value?

If a user can change open_basedir itself to a other Location, they are able to jump to all places on the Server. In this szneraio a chrooted environment has no effect, because apache jumps around.

thanks so far
 
Hello Elompenta,

Much as they might be able to jump around and see the files in those locations, they can't write to them given the difference of user permissions and groups.
 
You can modify the Service Plans and Uncheck (under Permissions) the feature that says:

"Common PHP settings management If granted, allows customers to adjust common PHP settings individually for each site."

See this also:
https://kb.odin.com/en/113498
 
Sure, they can only read but they can read passwords! CMS database passwords, for example....

correct, thanks!

You can modify the Service Plans and Uncheck (under Permissions) the feature that says:
"Common PHP settings management If granted, allows customers to adjust common PHP settings individually for each site."

Yes, but than i remove disable all settings

There is no way to only remove the include_dir and open_basedir setting?
 
1) Remove functionionality from Plesk is okay
--->
Is it possible now to disable only settings for open_basedir in User GUI?
We don't want to disable all php settings for our users.


2) But what is with the .htaccess method to overwrite the adminentry and overwrite the entry?
- open_basedir is a "PHP_INI_ALL" setting, these klind of settings you can overwrite with .htaccess
PHP: Wo Konfigurationseinstellungen gesetzt werden können - Manual[/QUOTE]
--->
Changing open_basedir via htaccess or ini_set-function allows only specifical directories under the main setting in php.ini (GUI). So if it is possible to remove only this setting in plesk gui admin can set the vhost directory for example and the user is not able to change this setting to /etc for example.
 

This seems to be a security issue, if end-customers are able to grant itslef read-access to other vhost/environments.
A random user is able to read data on the whole server, like /etc/shadow, various PHP files or database passwords?

Please explain why every end-customer must can change this setting

thanks and best regards
 
The subscriber does not need to change the setting. It is good as it is by default. Expanding the basedir to other directories enables the subscription and the subscriber to access security sensitive data on the system.
 
When a subscriber has the "Common PHP settings management" permission, she can edit the PHP settings including the open_basedir restrictions. You must remove the "Common PHP settings management" checkmark to disable that option.

plesk_php_settings.jpg
 
Back
Top