Solved

Open_BaseDir issue with Host

Posted on 2009-04-13
6
542 Views
Last Modified: 2013-12-14
All,

I'm at a bit of a standstill with my server admin.  I'm installing litecommerce, an e-commerce application that requires open_basedir to either be set specifically to Curl or OpenSSL or to null.  At present, the setting is set to a tmp directory.

I cannot successfully install litecommerce till this gets resolved.

My questions are:

Is there a way around this? Don't have access to php.ini or httpd.conf.
Is this really a major security flaw like my admin is stating?
Does disabling affect the entire server and all its websites or just the website in question?
Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

For what its worth, i have successfully installed LiteCommerce on shared environments and dedicated environments and this has never been an issue. Even WordPress and other large scale web applications run with it open or pointed to something other than 'tmp'.

Why so much resistance?

Thanks for the advanced insight.
0
Comment
Question by:pmagony
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 24135818
Yes, setting open_basedir to /tmp is good idea.
I really wonder why Your app requires open_basedir set to openssl/curl? What would You want to open/create there? openssl is in the /usr/bin - You surely cannot create any file there - are You?

Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?
0
 
LVL 9

Author Comment

by:pmagony
ID: 24137710
You mention setting open_basedir to tmp is a good idea, but offer no indication why. You sound like my paranoid admin (LOL).

"I really wonder why Your app requires open_basedir set to openssl/curl?"

There are many applications that require open_basedir either set or unset.  Fopen(), gzopen(), fput(), etc... all these PHP functions are in common use/practice.  So setting it to 'tmp' where you run the risk of disabling these functions makes no sense to me unless you are developing a website that you know will not require the use of such functions.

"Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?"

No.
0
 
LVL 51

Accepted Solution

by:
Steve Bink earned 500 total points
ID: 24144844
http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.open-basedir

The problem with expanding your open_basedir setting is that it gives PHP access to a much wider range of files.  For example, say you have this very poorly written script:

<?
$x = $_GET['filename']
echo file_get_contents($x);
?>

That basically dumps any requested filename to the PHP response.  Without open_basedir, I could put in '/etc/passwd' and get a list of valid user accounts on the box.  I could dump the TCP configuration, looking for other IPs, or maybe someone's mailbox to sniff their email.

On the other hand, setting open_basedir to the minimum necessary for a script to run seriously limits the possible damage or exposure.  In a shared hosting environment, this is a particularly sensitive issue since the above script COULD be used to dump someone else's contents....say, their include file holding the database connection string.  Your host is absolutely 100% correct in not expanding open_basedir's definition without very good reason.

The better question to ask here is why your application even needs access to the bin directories.  That should not be.  PHP comes with openssl and curl capabilities.  If your ecommerce package is doing something as non-standard as this, I would recommend you either find a new package, or purchase yourself a dedicated server where no one else is going to care if you introduce vulnerabilities.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 51

Assisted Solution

by:Steve Bink
Steve Bink earned 500 total points
ID: 24144875
To specifically answer your questions:

>>> Is there a way around this? Don't have access to php.ini or httpd.conf.

No.  You can tighten an open_basedir directive, but you cannot open it from runtime.  You would need to change the value in php.ini.

>>> Is this really a major security flaw like my admin is stating?

As I hope my previous post demonstrated, absolutely.  

>>> Does disabling affect the entire server and all its websites or just the website in question?

Yes, it does.  Removing open_basedir from php.ini would open the entire filesystem to every site on the box, unless they voluntarily tightened the setting themselves.  Would you like to give access to your entire neighborhood to enter your bedroom and peek around?

>>> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

If curl or openssl are located in the bin directories, absolutely.  There is much more in the directory than those two apps.  As I stated before, PHP comes with both capabilities as extensions, so it should not be necessary to use external apps for this.

>>> Why so much resistance?

Because, strangely enough, hosting companies like their shared hosting environments to be as secure as possible.  Providing a non-secure environment as a host is a great way to get sued.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24146123
> My questions are:
> Is there a way around this? Don't have access to php.ini or httpd.conf.
no

> Is this really a major security flaw like my admin is stating?
yes (as already explained)
for infinite security vulnerability examples simply search for php and open_basedir at proper web application security sites

> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?
yes

> Why so much resistance?
'cause all profesional attackers and most script kiddies are more experianced than some web admins :-/
0
 
LVL 9

Author Closing Comment

by:pmagony
ID: 31597485
With regards to LiteCommerce, when open_basedir restriction exists, the cart can't find the HTTPS client executable library automatically using find_executable() functions. They offer a workaround solution - which is to define the path to OpenSSL executable manually in the 'classes/kernel/HTTPS.php' file.

This will bypass the issue I am having with open_basedir, my admin will be happy, I will be happy and I will be able to successfully proceed with installation.

Thanks all for the professional feedback.

-pmagony
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Make the most of your online learning experience.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question