Thread: HOWTO: PHP 5 CLI to PHP 5 CGI + suPHP
View Single Post
  #25  
Old 05-16-2009, 01:23 AM
getUP getUP is offline
Verified User
  
Join Date: Sep 2005
Posts: 296
Quote:
Originally Posted by circlesquare View Post
Correct, you can't use .htaccess files to specify PHP config options using suPHP. The howto explains how to create custom php.ini files for each user. If they want custom PHP config, you can specify it in their php.ini file (/home/user/php.ini)
The reason why you must not give the user's themselves access to change this file is because they can then change the open_basedir restriction.
Your solution is not safe at all. If PHP_INI_SCAN_DIR is set, PHP will scan the complete directory (not recursively though) for .ini files. You can protect your custom php.ini as much as you want, a user can create ie. hack.ini and override those settings.

We are using a customized version of your bash script. It supports a per user temp directory as well.

Code:
#!/bin/sh

# create custom temp directory
rm -rf /home/$username/tmp
mkdir -p /home/$username/tmp
chown -R $username:$username /home/$username/tmp
chmod 755 /home/$username/tmp

# create custom php.ini
rm -rf /usr/local/directadmin/data/users/$username/php/
mkdir /usr/local/directadmin/data/users/$username/php/
chown $username:$username /usr/local/directadmin/data/users/$username/php/
touch /usr/local/directadmin/data/users/$username/php/php.ini
echo "open_basedir = /home/$username/:/tmp/:/var/www/html/" >> /usr/local/directadmin/data/users/$username/php/php.ini
echo "upload_tmp_dir = /home/$username/tmp/" >> /usr/local/directadmin/data/users/$username/php/php.ini
echo "session.save_path = /home/$username/tmp/" >> /usr/local/directadmin/data/users/$username/php/php.ini
chown root:root /usr/local/directadmin/data/users/$username/php/php.ini
chattr +i /usr/local/directadmin/data/users/$username/php/

exit 0;
We're using chattr to protect the directory from outside access. This limits maintenance a tiny bit, but increases security. For the removal of a user the following is needed:

Code:
touch /usr/local/directadmin/scripts/custom/user_destroy_pre.sh 
chmod 755 /usr/local/directadmin/scripts/custom/user_destroy_pre.sh
nano /usr/local/directadmin/scripts/custom/user_destroy_pre.sh
Add the following code:

Code:
#!/bin/sh
chattr -i /usr/local/directadmin/data/users/$username/php/

exit 0;
Make sure it's accessable:

Code:
chmod +x /usr/local/directadmin/scripts/custom/user_destroy_pre.sh
chown diradmin:diradmin /usr/local/directadmin/scripts/custom/user_destroy_pre.sh
The httpd templates should be changed accordingly:

Code:
|*if SUPHP="1"|
        SetEnv PHP_INI_SCAN_DIR /usr/local/directadmin/data/users/|USER|/php/
|*endif|
Open /etc/httpd/conf/httpd.conf and change the following (within the /var/www/html/ directory configuration):

Code:
   <IfModule mod_suphp.c>
        suPHP_Engine On
        suPHP_UserGroup webapps webapps
   </IfModule>
To:

Code:
   <IfModule mod_suphp.c>
        suPHP_Engine On
        suPHP_UserGroup webapps webapps
        SetEnv PHP_INI_SCAN_DIR
   </IfModule>
Thanks for the howto though.
Last edited by getUP; 05-19-2009 at 12:30 AM.
Reply With Quote