Solved

Open_BaseDir issue with Host

Posted on 2009-04-13
6
541 Views
Last Modified: 2013-12-14
All,

I'm at a bit of a standstill with my server admin.  I'm installing litecommerce, an e-commerce application that requires open_basedir to either be set specifically to Curl or OpenSSL or to null.  At present, the setting is set to a tmp directory.

I cannot successfully install litecommerce till this gets resolved.

My questions are:

Is there a way around this? Don't have access to php.ini or httpd.conf.
Is this really a major security flaw like my admin is stating?
Does disabling affect the entire server and all its websites or just the website in question?
Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

For what its worth, i have successfully installed LiteCommerce on shared environments and dedicated environments and this has never been an issue. Even WordPress and other large scale web applications run with it open or pointed to something other than 'tmp'.

Why so much resistance?

Thanks for the advanced insight.
0
Comment
Question by:pmagony
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 24135818
Yes, setting open_basedir to /tmp is good idea.
I really wonder why Your app requires open_basedir set to openssl/curl? What would You want to open/create there? openssl is in the /usr/bin - You surely cannot create any file there - are You?

Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?
0
 
LVL 9

Author Comment

by:pmagony
ID: 24137710
You mention setting open_basedir to tmp is a good idea, but offer no indication why. You sound like my paranoid admin (LOL).

"I really wonder why Your app requires open_basedir set to openssl/curl?"

There are many applications that require open_basedir either set or unset.  Fopen(), gzopen(), fput(), etc... all these PHP functions are in common use/practice.  So setting it to 'tmp' where you run the risk of disabling these functions makes no sense to me unless you are developing a website that you know will not require the use of such functions.

"Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?"

No.
0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 500 total points
ID: 24144844
http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.open-basedir

The problem with expanding your open_basedir setting is that it gives PHP access to a much wider range of files.  For example, say you have this very poorly written script:

<?
$x = $_GET['filename']
echo file_get_contents($x);
?>

That basically dumps any requested filename to the PHP response.  Without open_basedir, I could put in '/etc/passwd' and get a list of valid user accounts on the box.  I could dump the TCP configuration, looking for other IPs, or maybe someone's mailbox to sniff their email.

On the other hand, setting open_basedir to the minimum necessary for a script to run seriously limits the possible damage or exposure.  In a shared hosting environment, this is a particularly sensitive issue since the above script COULD be used to dump someone else's contents....say, their include file holding the database connection string.  Your host is absolutely 100% correct in not expanding open_basedir's definition without very good reason.

The better question to ask here is why your application even needs access to the bin directories.  That should not be.  PHP comes with openssl and curl capabilities.  If your ecommerce package is doing something as non-standard as this, I would recommend you either find a new package, or purchase yourself a dedicated server where no one else is going to care if you introduce vulnerabilities.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 50

Assisted Solution

by:Steve Bink
Steve Bink earned 500 total points
ID: 24144875
To specifically answer your questions:

>>> Is there a way around this? Don't have access to php.ini or httpd.conf.

No.  You can tighten an open_basedir directive, but you cannot open it from runtime.  You would need to change the value in php.ini.

>>> Is this really a major security flaw like my admin is stating?

As I hope my previous post demonstrated, absolutely.  

>>> Does disabling affect the entire server and all its websites or just the website in question?

Yes, it does.  Removing open_basedir from php.ini would open the entire filesystem to every site on the box, unless they voluntarily tightened the setting themselves.  Would you like to give access to your entire neighborhood to enter your bedroom and peek around?

>>> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

If curl or openssl are located in the bin directories, absolutely.  There is much more in the directory than those two apps.  As I stated before, PHP comes with both capabilities as extensions, so it should not be necessary to use external apps for this.

>>> Why so much resistance?

Because, strangely enough, hosting companies like their shared hosting environments to be as secure as possible.  Providing a non-secure environment as a host is a great way to get sued.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24146123
> My questions are:
> Is there a way around this? Don't have access to php.ini or httpd.conf.
no

> Is this really a major security flaw like my admin is stating?
yes (as already explained)
for infinite security vulnerability examples simply search for php and open_basedir at proper web application security sites

> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?
yes

> Why so much resistance?
'cause all profesional attackers and most script kiddies are more experianced than some web admins :-/
0
 
LVL 9

Author Closing Comment

by:pmagony
ID: 31597485
With regards to LiteCommerce, when open_basedir restriction exists, the cart can't find the HTTPS client executable library automatically using find_executable() functions. They offer a workaround solution - which is to define the path to OpenSSL executable manually in the 'classes/kernel/HTTPS.php' file.

This will bypass the issue I am having with open_basedir, my admin will be happy, I will be happy and I will be able to successfully proceed with installation.

Thanks all for the professional feedback.

-pmagony
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question