Solved

Open_BaseDir issue with Host

Posted on 2009-04-13
6
534 Views
Last Modified: 2013-12-14
All,

I'm at a bit of a standstill with my server admin.  I'm installing litecommerce, an e-commerce application that requires open_basedir to either be set specifically to Curl or OpenSSL or to null.  At present, the setting is set to a tmp directory.

I cannot successfully install litecommerce till this gets resolved.

My questions are:

Is there a way around this? Don't have access to php.ini or httpd.conf.
Is this really a major security flaw like my admin is stating?
Does disabling affect the entire server and all its websites or just the website in question?
Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

For what its worth, i have successfully installed LiteCommerce on shared environments and dedicated environments and this has never been an issue. Even WordPress and other large scale web applications run with it open or pointed to something other than 'tmp'.

Why so much resistance?

Thanks for the advanced insight.
0
Comment
Question by:pmagony
6 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 24135818
Yes, setting open_basedir to /tmp is good idea.
I really wonder why Your app requires open_basedir set to openssl/curl? What would You want to open/create there? openssl is in the /usr/bin - You surely cannot create any file there - are You?

Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?
0
 
LVL 9

Author Comment

by:pmagony
ID: 24137710
You mention setting open_basedir to tmp is a good idea, but offer no indication why. You sound like my paranoid admin (LOL).

"I really wonder why Your app requires open_basedir set to openssl/curl?"

There are many applications that require open_basedir either set or unset.  Fopen(), gzopen(), fput(), etc... all these PHP functions are in common use/practice.  So setting it to 'tmp' where you run the risk of disabling these functions makes no sense to me unless you are developing a website that you know will not require the use of such functions.

"Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?"

No.
0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 500 total points
ID: 24144844
http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.open-basedir

The problem with expanding your open_basedir setting is that it gives PHP access to a much wider range of files.  For example, say you have this very poorly written script:

<?
$x = $_GET['filename']
echo file_get_contents($x);
?>

That basically dumps any requested filename to the PHP response.  Without open_basedir, I could put in '/etc/passwd' and get a list of valid user accounts on the box.  I could dump the TCP configuration, looking for other IPs, or maybe someone's mailbox to sniff their email.

On the other hand, setting open_basedir to the minimum necessary for a script to run seriously limits the possible damage or exposure.  In a shared hosting environment, this is a particularly sensitive issue since the above script COULD be used to dump someone else's contents....say, their include file holding the database connection string.  Your host is absolutely 100% correct in not expanding open_basedir's definition without very good reason.

The better question to ask here is why your application even needs access to the bin directories.  That should not be.  PHP comes with openssl and curl capabilities.  If your ecommerce package is doing something as non-standard as this, I would recommend you either find a new package, or purchase yourself a dedicated server where no one else is going to care if you introduce vulnerabilities.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 50

Assisted Solution

by:Steve Bink
Steve Bink earned 500 total points
ID: 24144875
To specifically answer your questions:

>>> Is there a way around this? Don't have access to php.ini or httpd.conf.

No.  You can tighten an open_basedir directive, but you cannot open it from runtime.  You would need to change the value in php.ini.

>>> Is this really a major security flaw like my admin is stating?

As I hope my previous post demonstrated, absolutely.  

>>> Does disabling affect the entire server and all its websites or just the website in question?

Yes, it does.  Removing open_basedir from php.ini would open the entire filesystem to every site on the box, unless they voluntarily tightened the setting themselves.  Would you like to give access to your entire neighborhood to enter your bedroom and peek around?

>>> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

If curl or openssl are located in the bin directories, absolutely.  There is much more in the directory than those two apps.  As I stated before, PHP comes with both capabilities as extensions, so it should not be necessary to use external apps for this.

>>> Why so much resistance?

Because, strangely enough, hosting companies like their shared hosting environments to be as secure as possible.  Providing a non-secure environment as a host is a great way to get sued.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24146123
> My questions are:
> Is there a way around this? Don't have access to php.ini or httpd.conf.
no

> Is this really a major security flaw like my admin is stating?
yes (as already explained)
for infinite security vulnerability examples simply search for php and open_basedir at proper web application security sites

> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?
yes

> Why so much resistance?
'cause all profesional attackers and most script kiddies are more experianced than some web admins :-/
0
 
LVL 9

Author Closing Comment

by:pmagony
ID: 31597485
With regards to LiteCommerce, when open_basedir restriction exists, the cart can't find the HTTPS client executable library automatically using find_executable() functions. They offer a workaround solution - which is to define the path to OpenSSL executable manually in the 'classes/kernel/HTTPS.php' file.

This will bypass the issue I am having with open_basedir, my admin will be happy, I will be happy and I will be able to successfully proceed with installation.

Thanks all for the professional feedback.

-pmagony
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now