Link to home
Start Free TrialLog in
Avatar of pmagony
pmagony

asked on

Open_BaseDir issue with Host

All,

I'm at a bit of a standstill with my server admin.  I'm installing litecommerce, an e-commerce application that requires open_basedir to either be set specifically to Curl or OpenSSL or to null.  At present, the setting is set to a tmp directory.

I cannot successfully install litecommerce till this gets resolved.

My questions are:

Is there a way around this? Don't have access to php.ini or httpd.conf.
Is this really a major security flaw like my admin is stating?
Does disabling affect the entire server and all its websites or just the website in question?
Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

For what its worth, i have successfully installed LiteCommerce on shared environments and dedicated environments and this has never been an issue. Even WordPress and other large scale web applications run with it open or pointed to something other than 'tmp'.

Why so much resistance?

Thanks for the advanced insight.
Avatar of ravenpl
ravenpl
Flag of Poland image

Yes, setting open_basedir to /tmp is good idea.
I really wonder why Your app requires open_basedir set to openssl/curl? What would You want to open/create there? openssl is in the /usr/bin - You surely cannot create any file there - are You?

Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?
Avatar of pmagony
pmagony

ASKER

You mention setting open_basedir to tmp is a good idea, but offer no indication why. You sound like my paranoid admin (LOL).

"I really wonder why Your app requires open_basedir set to openssl/curl?"

There are many applications that require open_basedir either set or unset.  Fopen(), gzopen(), fput(), etc... all these PHP functions are in common use/practice.  So setting it to 'tmp' where you run the risk of disabling these functions makes no sense to me unless you are developing a website that you know will not require the use of such functions.

"Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?"

No.
ASKER CERTIFIED SOLUTION
Avatar of Steve Bink
Steve Bink
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
> My questions are:
> Is there a way around this? Don't have access to php.ini or httpd.conf.
no

> Is this really a major security flaw like my admin is stating?
yes (as already explained)
for infinite security vulnerability examples simply search for php and open_basedir at proper web application security sites

> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?
yes

> Why so much resistance?
'cause all profesional attackers and most script kiddies are more experianced than some web admins :-/
Avatar of pmagony

ASKER

With regards to LiteCommerce, when open_basedir restriction exists, the cart can't find the HTTPS client executable library automatically using find_executable() functions. They offer a workaround solution - which is to define the path to OpenSSL executable manually in the 'classes/kernel/HTTPS.php' file.

This will bypass the issue I am having with open_basedir, my admin will be happy, I will be happy and I will be able to successfully proceed with installation.

Thanks all for the professional feedback.

-pmagony