Solved

Open_BaseDir issue with Host

Posted on 2009-04-13
6
540 Views
Last Modified: 2013-12-14
All,

I'm at a bit of a standstill with my server admin.  I'm installing litecommerce, an e-commerce application that requires open_basedir to either be set specifically to Curl or OpenSSL or to null.  At present, the setting is set to a tmp directory.

I cannot successfully install litecommerce till this gets resolved.

My questions are:

Is there a way around this? Don't have access to php.ini or httpd.conf.
Is this really a major security flaw like my admin is stating?
Does disabling affect the entire server and all its websites or just the website in question?
Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

For what its worth, i have successfully installed LiteCommerce on shared environments and dedicated environments and this has never been an issue. Even WordPress and other large scale web applications run with it open or pointed to something other than 'tmp'.

Why so much resistance?

Thanks for the advanced insight.
0
Comment
Question by:pmagony
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 24135818
Yes, setting open_basedir to /tmp is good idea.
I really wonder why Your app requires open_basedir set to openssl/curl? What would You want to open/create there? openssl is in the /usr/bin - You surely cannot create any file there - are You?

Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?
0
 
LVL 9

Author Comment

by:pmagony
ID: 24137710
You mention setting open_basedir to tmp is a good idea, but offer no indication why. You sound like my paranoid admin (LOL).

"I really wonder why Your app requires open_basedir set to openssl/curl?"

There are many applications that require open_basedir either set or unset.  Fopen(), gzopen(), fput(), etc... all these PHP functions are in common use/practice.  So setting it to 'tmp' where you run the risk of disabling these functions makes no sense to me unless you are developing a website that you know will not require the use of such functions.

"Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?"

No.
0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 500 total points
ID: 24144844
http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.open-basedir

The problem with expanding your open_basedir setting is that it gives PHP access to a much wider range of files.  For example, say you have this very poorly written script:

<?
$x = $_GET['filename']
echo file_get_contents($x);
?>

That basically dumps any requested filename to the PHP response.  Without open_basedir, I could put in '/etc/passwd' and get a list of valid user accounts on the box.  I could dump the TCP configuration, looking for other IPs, or maybe someone's mailbox to sniff their email.

On the other hand, setting open_basedir to the minimum necessary for a script to run seriously limits the possible damage or exposure.  In a shared hosting environment, this is a particularly sensitive issue since the above script COULD be used to dump someone else's contents....say, their include file holding the database connection string.  Your host is absolutely 100% correct in not expanding open_basedir's definition without very good reason.

The better question to ask here is why your application even needs access to the bin directories.  That should not be.  PHP comes with openssl and curl capabilities.  If your ecommerce package is doing something as non-standard as this, I would recommend you either find a new package, or purchase yourself a dedicated server where no one else is going to care if you introduce vulnerabilities.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 50

Assisted Solution

by:Steve Bink
Steve Bink earned 500 total points
ID: 24144875
To specifically answer your questions:

>>> Is there a way around this? Don't have access to php.ini or httpd.conf.

No.  You can tighten an open_basedir directive, but you cannot open it from runtime.  You would need to change the value in php.ini.

>>> Is this really a major security flaw like my admin is stating?

As I hope my previous post demonstrated, absolutely.  

>>> Does disabling affect the entire server and all its websites or just the website in question?

Yes, it does.  Removing open_basedir from php.ini would open the entire filesystem to every site on the box, unless they voluntarily tightened the setting themselves.  Would you like to give access to your entire neighborhood to enter your bedroom and peek around?

>>> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

If curl or openssl are located in the bin directories, absolutely.  There is much more in the directory than those two apps.  As I stated before, PHP comes with both capabilities as extensions, so it should not be necessary to use external apps for this.

>>> Why so much resistance?

Because, strangely enough, hosting companies like their shared hosting environments to be as secure as possible.  Providing a non-secure environment as a host is a great way to get sued.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24146123
> My questions are:
> Is there a way around this? Don't have access to php.ini or httpd.conf.
no

> Is this really a major security flaw like my admin is stating?
yes (as already explained)
for infinite security vulnerability examples simply search for php and open_basedir at proper web application security sites

> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?
yes

> Why so much resistance?
'cause all profesional attackers and most script kiddies are more experianced than some web admins :-/
0
 
LVL 9

Author Closing Comment

by:pmagony
ID: 31597485
With regards to LiteCommerce, when open_basedir restriction exists, the cart can't find the HTTPS client executable library automatically using find_executable() functions. They offer a workaround solution - which is to define the path to OpenSSL executable manually in the 'classes/kernel/HTTPS.php' file.

This will bypass the issue I am having with open_basedir, my admin will be happy, I will be happy and I will be able to successfully proceed with installation.

Thanks all for the professional feedback.

-pmagony
0

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Echo'd values in dropdowns 6 28
Put POST values into cookies. 14 30
Visio Crashes when Running from a Share 6 40
CentOS 7 wireless 2 28
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question