Customer | change PHP open_basedir

[Elompenta]

Ist there any configuration available that a user can change his own PHP Settings, but NOT open_basedir settings over Plesk Backend and .htaccess php_admin_value?

If a user can change open_basedir itself to a other Location, they are able to jump to all places on the Server. In this szneraio a chrooted environment has no effect, because apache jumps around.

thanks so far

 

[abdi]

Hello Elompenta,

Much as they might be able to jump around and see the files in those locations, they can't write to them given the difference of user permissions and groups.

 

[Oto Tortorella]

Sure, they can only read but they can read passwords! CMS database passwords, for example....

 

[abdi]

You can modify the Service Plans and Uncheck (under Permissions) the feature that says:

"Common PHP settings management If granted, allows customers to adjust common PHP settings individually for each site."

See this also:
https://kb.odin.com/en/113498

 

[Elompenta]

Sure, they can only read but they can read passwords! CMS database passwords, for example....

correct, thanks!

You can modify the Service Plans and Uncheck (under Permissions) the feature that says:
"Common PHP settings management If granted, allows customers to adjust common PHP settings individually for each site."

Yes, but than i remove disable all settings

There is no way to only remove the include_dir and open_basedir setting?

 

[Elompenta]

The important question is how we can prevent, a user change of open_basedir

1) Remove functionionality from Plesk is okay
2) But what is with the .htaccess method to overwrite the adminentry and overwrite the entry?
- open_basedir is a "PHP_INI_ALL" setting, these klind of settings you can overwrite with .htaccess
http://php.net/manual/de/configuration.changes.modes.php

 

[Elompenta]

Do you have any solution for the .htaccess Szenario?

 

[Bastian_Breidenbach]

1) Remove functionionality from Plesk is okay
--->
Is it possible now to disable only settings for open_basedir in User GUI?
We don't want to disable all php settings for our users.


2) But what is with the .htaccess method to overwrite the adminentry and overwrite the entry?
- open_basedir is a "PHP_INI_ALL" setting, these klind of settings you can overwrite with .htaccess
PHP: Wo Konfigurationseinstellungen gesetzt werden können - Manual[/QUOTE]
--->
Changing open_basedir via htaccess or ini_set-function allows only specifical directories under the main setting in php.ini (GUI). So if it is possible to remove only this setting in plesk gui admin can set the vhost directory for example and the user is not able to change this setting to /etc for example.

 

[Bitpalast]

Is it possible now to disable only settings for open_basedir in User GUI?

No.

2) But what is with the .htaccess method to overwrite the adminentry and overwrite the entry?
- open_basedir is a "PHP_INI_ALL" setting, these klind of settings you can overwrite with .htaccess

No, open_basedir cannot be overwritten by an .htaccess entry.

 

[Elompenta]

No.

This seems to be a security issue, if end-customers are able to grant itslef read-access to other vhost/environments.
A random user is able to read data on the whole server, like /etc/shadow, various PHP files or database passwords?

Please explain why every end-customer must can change this setting

thanks and best regards

 

[Bitpalast]

The subscriber does not need to change the setting. It is good as it is by default. Expanding the basedir to other directories enables the subscription and the subscriber to access security sensitive data on the system.

 

[Elompenta]

The subscriber does not need to change the setting.

correct, but he is able to do that - this is the point of discussion

 

[Bitpalast]

When a subscriber has the "Common PHP settings management" permission, she can edit the PHP settings including the open_basedir restrictions. You must remove the "Common PHP settings management" checkmark to disable that option.