A
AD7six
Guest
Hi,
I write this message in part on behalf of my sys admin, who receives endless requests from me to 'fix' our Plesk servers each time one of our PHP sites suddenly shows a white page - caused by an open_base_dir restriction which was manually removed reapplying itself by some Plesk process.
We work with a number of servers at my present company, all of which are using Plesk Control Panel 8.6. I'm finding that the open_base_dir setup that Plesk uses by default to be a problem, and more importantly promoting insecure practices such as storing tmp files in a web accessible location (i.e. - making the classic upload a phishing.zip file to a vulnerable web and navigate to domain.com/temp/uploaded/files/can/be/found/here/phishing.html possible)
The setup I have always used, irrespective of the architecture in use is as follows: http://bin.cakephp.org/view/356756558
Subdomains are created using the same technique/setup.
We'd like to know how to remove entirely open_base_dir by default or at the very least change it to be the home dir of the domain user; and ensure that, for example, whenever someone creates a new domain via the Plesk admin panel - the open_base_dir restriction that we've removed/changed from the vhosts or other conf file does not get re-applied - which is what happens at the moment.
I hope later versions of Plesk don't use open base dir at all - it is to me only a needless addition to setting the right file permissions system wide in the first place (i.e. don't give the web user permission to execute/read anything it shouldn't be able to)
I've searched the forum http://forum.parallels.com/search.php?searchid=1863286 and googled around for resolving open_base_dir problems with Plesk but only found answers that aren't really acceptable. We don't want to edit each domain removing a default - which reapplies itself every time we create a new domain. We don't want servers that are insecure by default with some false logic that PHP files should never leave their own DocRoot, and can only be secured (in this regard, because of course there are many ways to exploit a web app) by manual/scripted post-processing.
Please let me know how I can continue to use Plesk without fighting against the open_base_dir restriction which seems to being forced upon us.
Regards,
AD
I write this message in part on behalf of my sys admin, who receives endless requests from me to 'fix' our Plesk servers each time one of our PHP sites suddenly shows a white page - caused by an open_base_dir restriction which was manually removed reapplying itself by some Plesk process.
We work with a number of servers at my present company, all of which are using Plesk Control Panel 8.6. I'm finding that the open_base_dir setup that Plesk uses by default to be a problem, and more importantly promoting insecure practices such as storing tmp files in a web accessible location (i.e. - making the classic upload a phishing.zip file to a vulnerable web and navigate to domain.com/temp/uploaded/files/can/be/found/here/phishing.html possible)
The setup I have always used, irrespective of the architecture in use is as follows: http://bin.cakephp.org/view/356756558
Subdomains are created using the same technique/setup.
We'd like to know how to remove entirely open_base_dir by default or at the very least change it to be the home dir of the domain user; and ensure that, for example, whenever someone creates a new domain via the Plesk admin panel - the open_base_dir restriction that we've removed/changed from the vhosts or other conf file does not get re-applied - which is what happens at the moment.
I hope later versions of Plesk don't use open base dir at all - it is to me only a needless addition to setting the right file permissions system wide in the first place (i.e. don't give the web user permission to execute/read anything it shouldn't be able to)
I've searched the forum http://forum.parallels.com/search.php?searchid=1863286 and googled around for resolving open_base_dir problems with Plesk but only found answers that aren't really acceptable. We don't want to edit each domain removing a default - which reapplies itself every time we create a new domain. We don't want servers that are insecure by default with some false logic that PHP files should never leave their own DocRoot, and can only be secured (in this regard, because of course there are many ways to exploit a web app) by manual/scripted post-processing.
Please let me know how I can continue to use Plesk without fighting against the open_base_dir restriction which seems to being forced upon us.
Regards,
AD
Last edited by a moderator: