How to enabled PHP open_basedir in CWP
** Note this is only for PHP-CGI
We have two options
- global config, one config file in the include folder /usr/local/php/php.d/ and in PHP selector include folders
- per-user config, the securest option as it restricts the user to his /home/USERNAME folder and also disables users from using custom php.ini files.
Global Configuration
The securest method do this correctly and to prevent users from overriding this is to place the config into the include file. Please note that if you set this into /usr/local/php/php.ini then custom user php.ini will be able to disable it. Please note that global config allows full /home folder access while per user restricts users to /home/USERNAME folder which is much more secure.
One line command to create a file and config:
echo "open_basedir = /home:/tmp:/var/tmp:/usr/local/lib/php/" > /usr/local/php/php.d/open_basedir.ini
You can also do it by yourself by creating a file: /usr/local/php/php.d/open_basedir.ini with the following content:
open_basedir = /home:/tmp:/var/tmp:/usr/local/lib/php/
To enable it for other php versions from the PHP selector you can create this config files with the same content:
/opt/alt/php44/usr/php/php.d/open_basedir.ini /opt/alt/php52/usr/php/php.d/open_basedir.ini /opt/alt/php53/usr/php/php.d/open_basedir.ini /opt/alt/php54/usr/php/php.d/open_basedir.ini /opt/alt/php55/usr/php/php.d/open_basedir.ini /opt/alt/php56/usr/php/php.d/open_basedir.ini /opt/alt/php70/usr/php/php.d/open_basedir.ini /opt/alt/php71/usr/php/php.d/open_basedir.ini /opt/alt/php72/usr/php/php.d/open_basedir.ini /opt/alt/php7/usr/php/php.d/open_basedir.ini
Testing:
Create a phpinfo file on some account/domain/subdomain ... and open it with a browser.
open_basedir value should show info from the config
PHP info file example phpinfo.php
<?php phpinfo(); ?>
Per User open_basedir
To enable per-user open_basedir you can create a php.ini file in the users /home folder.
Example: /home/USERNAME/php.ini ,make sure the file is owned by root so that the user can't disable it.
echo "open_basedir = /home/USERNAME:/tmp:/var/tmp:/usr/local/lib/php/" > /home/USERNAME/php.ini chown root.root /home/USERNAME/php.ini chmod 555 /home/USERNAME/php.ini
** Don't forget to replace the USERNAME.
Please note that this option will also disable all further custom users php.ini files per folder, for example: /home/USERNAME/public_html/php.ini will not be loaded.
You can also place it into public_html folder but then users will be able to run custom php.ini files per folder and they can disable open_basedir.
RECOMMENDATION
We recommend using the per-user configuration of open_basedir as it will provide much higher security and isolate each client.
NGINX + PHP-FPM
configuration files are:
/etc/nginx/conf.d/vhosts/DOMAIN.conf
/etc/nginx/conf.d/vhosts/DOMAIN.ssl.conf
under fastcgi_param add one more line and reload/restart nginx
fastcgi_param PHP_ADMIN_VALUE "open_basedir =/home/USERNAME:/tmp:";
** Note that manual editing of the webserver vhost files is not recommended as those files get rebuilt from the template on each change.
Try checking the instructions here for the custom template build.
APACHE + PHP-FPM
Configuration files are all user existing php-fpm configuration files, to get the list of files you can use this
ls -la /opt/alt/php-fpm*/usr/etc/php-fpm.d/users/USERNAME.conf
Add at the bottom
php_admin_value[open_basedir] = /home/USERNAME:/tmp
** Note that editing any of those files requires to restart php-fpm version you edited.
** Note that manual editing of the webserver vhost files is not recommended as those files get rebuilt from the template on each change.
Try checking the instructions here for the custom template build.