Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Open_BaseDir issue with Host

Posted on 2009-04-13
6
Medium Priority
?
544 Views
Last Modified: 2013-12-14
All,

I'm at a bit of a standstill with my server admin.  I'm installing litecommerce, an e-commerce application that requires open_basedir to either be set specifically to Curl or OpenSSL or to null.  At present, the setting is set to a tmp directory.

I cannot successfully install litecommerce till this gets resolved.

My questions are:

Is there a way around this? Don't have access to php.ini or httpd.conf.
Is this really a major security flaw like my admin is stating?
Does disabling affect the entire server and all its websites or just the website in question?
Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

For what its worth, i have successfully installed LiteCommerce on shared environments and dedicated environments and this has never been an issue. Even WordPress and other large scale web applications run with it open or pointed to something other than 'tmp'.

Why so much resistance?

Thanks for the advanced insight.
0
Comment
Question by:pmagony
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 24135818
Yes, setting open_basedir to /tmp is good idea.
I really wonder why Your app requires open_basedir set to openssl/curl? What would You want to open/create there? openssl is in the /usr/bin - You surely cannot create any file there - are You?

Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?
0
 
LVL 9

Author Comment

by:pmagony
ID: 24137710
You mention setting open_basedir to tmp is a good idea, but offer no indication why. You sound like my paranoid admin (LOL).

"I really wonder why Your app requires open_basedir set to openssl/curl?"

There are many applications that require open_basedir either set or unset.  Fopen(), gzopen(), fput(), etc... all these PHP functions are in common use/practice.  So setting it to 'tmp' where you run the risk of disabling these functions makes no sense to me unless you are developing a website that you know will not require the use of such functions.

"Maybe You are talking about safe_mode_exec_dir - maybe no curl or openssl is available under that dir?"

No.
0
 
LVL 51

Accepted Solution

by:
Steve Bink earned 2000 total points
ID: 24144844
http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.open-basedir

The problem with expanding your open_basedir setting is that it gives PHP access to a much wider range of files.  For example, say you have this very poorly written script:

<?
$x = $_GET['filename']
echo file_get_contents($x);
?>

That basically dumps any requested filename to the PHP response.  Without open_basedir, I could put in '/etc/passwd' and get a list of valid user accounts on the box.  I could dump the TCP configuration, looking for other IPs, or maybe someone's mailbox to sniff their email.

On the other hand, setting open_basedir to the minimum necessary for a script to run seriously limits the possible damage or exposure.  In a shared hosting environment, this is a particularly sensitive issue since the above script COULD be used to dump someone else's contents....say, their include file holding the database connection string.  Your host is absolutely 100% correct in not expanding open_basedir's definition without very good reason.

The better question to ask here is why your application even needs access to the bin directories.  That should not be.  PHP comes with openssl and curl capabilities.  If your ecommerce package is doing something as non-standard as this, I would recommend you either find a new package, or purchase yourself a dedicated server where no one else is going to care if you introduce vulnerabilities.
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 
LVL 51

Assisted Solution

by:Steve Bink
Steve Bink earned 2000 total points
ID: 24144875
To specifically answer your questions:

>>> Is there a way around this? Don't have access to php.ini or httpd.conf.

No.  You can tighten an open_basedir directive, but you cannot open it from runtime.  You would need to change the value in php.ini.

>>> Is this really a major security flaw like my admin is stating?

As I hope my previous post demonstrated, absolutely.  

>>> Does disabling affect the entire server and all its websites or just the website in question?

Yes, it does.  Removing open_basedir from php.ini would open the entire filesystem to every site on the box, unless they voluntarily tightened the setting themselves.  Would you like to give access to your entire neighborhood to enter your bedroom and peek around?

>>> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?

If curl or openssl are located in the bin directories, absolutely.  There is much more in the directory than those two apps.  As I stated before, PHP comes with both capabilities as extensions, so it should not be necessary to use external apps for this.

>>> Why so much resistance?

Because, strangely enough, hosting companies like their shared hosting environments to be as secure as possible.  Providing a non-secure environment as a host is a great way to get sued.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 24146123
> My questions are:
> Is there a way around this? Don't have access to php.ini or httpd.conf.
no

> Is this really a major security flaw like my admin is stating?
yes (as already explained)
for infinite security vulnerability examples simply search for php and open_basedir at proper web application security sites

> Does setting it specifically to Curl or OpenSSL pose a greater security threat than that of having it point to tmp?
yes

> Why so much resistance?
'cause all profesional attackers and most script kiddies are more experianced than some web admins :-/
0
 
LVL 9

Author Closing Comment

by:pmagony
ID: 31597485
With regards to LiteCommerce, when open_basedir restriction exists, the cart can't find the HTTPS client executable library automatically using find_executable() functions. They offer a workaround solution - which is to define the path to OpenSSL executable manually in the 'classes/kernel/HTTPS.php' file.

This will bypass the issue I am having with open_basedir, my admin will be happy, I will be happy and I will be able to successfully proceed with installation.

Thanks all for the professional feedback.

-pmagony
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question