How to enabled PHP open_basedir in CWP
We have two options
- global config, one config file in the include folder /usr/local/php/php.d/ and in PHP selector include folders
- per-user config, the securest option as it restricts the user to his /home/USERNAME folder and also disables users from using custom php.ini files.
The securest method do this correctly and to prevent users from overriding this is to place the config into the include file. Please note that if you set this into /usr/local/php/php.ini then custom user php.ini will be able to disable it. Please note that global config allows full /home folder access while per user restricts users to /home/USERNAME folder which is much more secure.
One line command to create a file and config:
echo "open_basedir = /home:/tmp:/var/tmp:/usr/local/lib/php/" > /usr/local/php/php.d/open_basedir.ini
You can also do it by yourself by creating a file: /usr/local/php/php.d/open_basedir.ini with the following content:
open_basedir = /home:/tmp:/var/tmp:/usr/local/lib/php/
To enable it for other php versions from the PHP selector you can create this config files with the same content:
/opt/alt/php44/usr/php/php.d/open_basedir.ini /opt/alt/php52/usr/php/php.d/open_basedir.ini /opt/alt/php53/usr/php/php.d/open_basedir.ini /opt/alt/php54/usr/php/php.d/open_basedir.ini /opt/alt/php55/usr/php/php.d/open_basedir.ini /opt/alt/php56/usr/php/php.d/open_basedir.ini /opt/alt/php70/usr/php/php.d/open_basedir.ini /opt/alt/php71/usr/php/php.d/open_basedir.ini /opt/alt/php72/usr/php/php.d/open_basedir.ini /opt/alt/php7/usr/php/php.d/open_basedir.ini
Create a phpinfo file on some account/domain/subdomain ... and open it with a browser.
open_basedir value should show info from the config
PHP info file example phpinfo.php
<?php phpinfo(); ?>
Per User open_basedir
To enable per-user open_basedir you can create a php.ini file in the users /home folder.
Example: /home/USERNAME/php.ini ,make sure the file is owned by root so that user can't disable it.
echo "open_basedir = /home/USERNAME:/tmp:/var/tmp:/usr/local/lib/php/" > /home/USERNAME/php.ini chown root.root /home/USERNAME/php.ini chmod 555 /home/USERNAME/php.ini
** Don't forget to replace the USERNAME.
Please note that this option will also disable all further custom users php.ini files per folder, for example: /home/USERNAME/public_html/php.ini will not be loaded.
You can also place it into public_html folder but then users will be able to run custom php.ini files per folder and they can disable open_basedir.
We recommend using per user configuration of open_basedir as it will provide much higher security and isolate each client.