How to enabled PHP open_basedir in CWP

We have two options
– global config, one config file in the include folder /usr/local/php/php.d/ and in php selector include folders
– per user config, the securest option as it restricts user to his /home/USERNAME folder and also disables users from using a custom php.ini files.

Global Configuration
The securest method do this correctly and to prevent users from overriding this is to place the config into the include file. Please note that if you set this into /usr/local/php/php.ini then custom user php.ini will be able to disable it. Please note that global config allows full /home folder access while per user restricts users to /home/USERNAME folder which is much more secure.

One line command to create a file and config:

echo "open_basedir = /home:/tmp:/var/tmp:/usr/local/lib/php/" > /usr/local/php/php.d/open_basedir.ini

You can also do it by yourself by creating a file: /usr/local/php/php.d/open_basedir.ini with the following content:

open_basedir = /home:/tmp:/var/tmp:/usr/local/lib/php/

To enable it for other php versions from the PHP selector you can create this config files with the same content:

/opt/alt/php44/usr/php/php.d/open_basedir.ini
/opt/alt/php52/usr/php/php.d/open_basedir.ini
/opt/alt/php53/usr/php/php.d/open_basedir.ini
/opt/alt/php54/usr/php/php.d/open_basedir.ini
/opt/alt/php55/usr/php/php.d/open_basedir.ini
/opt/alt/php56/usr/php/php.d/open_basedir.ini
/opt/alt/php70/usr/php/php.d/open_basedir.ini
/opt/alt/php71/usr/php/php.d/open_basedir.ini
/opt/alt/php72/usr/php/php.d/open_basedir.ini
/opt/alt/php7/usr/php/php.d/open_basedir.ini

Testing:
Create a phpinfo file on some account/domain/subdomain … and open it via browser.
open_basedir value should show info from the config

PHP info file example phpinfo.php

<?php phpinfo(); ?>

Per User open_basedir
To enable per user open_basedir you can create php.ini file in the users /home folder.
Example: /home/USERNAME/php.ini ,make sure file is owned by root so that user can’t disable it.

echo "open_basedir = /home/USERNAME:/tmp:/var/tmp:/usr/local/lib/php/" > /home/USERNAME/php.ini
chown root.root /home/USERNAME/php.ini
chmod 555 /home/USERNAME/php.ini

** Don’t forget to replace the USERNAME.

Please note that this option will also disable all further custom users php.ini files per folder, example: /home/USERNAME/public_html/php.ini will not be loaded.

You can also place it into public_html folder but then users will be able to run custom php.ini files per folder and they can disable open_basedir.