Setup a per-user php.ini to allow open_basedir with suPhp


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » CustomBuild » ./build php
Top Level » Apache Related Information » Php

Setup a per-user php.ini to allow open_basedir with suPhpLast Modified: Oct 10, 2013, 2:59 pm
new way:

If you wish to use per-user php.ini files in:
/usr/local/directadmin/data/users/username/php/php.ini
then you can use this guide to add the code:

SetEnv PHP_INI_SCAN_DIR /usr/local/directadmin/data/users/|USER|/php/

to the VirtualHost entires for that domain and it's subdomains.   This will tell suPhp to look in that path for a php.ini.
It's loaded after the main php.ini, so if it's not there, it's not a big deal.  You can add just the php entries that you wish to override the global php.ini's defaults.
Note for complete usage of this setting, a how-to has been created here, which should be consulted with first: http://www.directadmin.com:80/forum/showpost.php?p=156958&postcount=25

If you only want to set a custom php.ini for individual users, and not all users, then you can use this guide to insert just the one line of code into the VirtualHost entires for that domain.

Sample /usr/local/directadmin/scripts/custom/user_create_post.sh

#!/bin/sh

HOME=/home/$username
OBD="${HOME}/:/tmp:/var/tmp:/usr/local/lib/php/"

P=/usr/local/directadmin/data/users/$username
if [ ! -e ${P}/php ]; then
            mkdir ${P}/php
fi

PI=${P}/php/php.ini

cp -f /usr/local/lib/php.ini.template ${PI}
TMP="perl -pi -e 's#open_basedir = OBD#open_basedir = ${OBD}#' ${PI}"
eval $TMP
TMP="perl -pi -e 's#HOME#${HOME}#' ${PI}"
eval $TMP

exit 0;

Where the /usr/local/lib/php.ini.template might look like this:

[PHP]
open_basedir = OBD
mail.log = HOME/.php/php-mail.log

so that the regex in the user_create_post.sh will swap OBD will the user's open_basedir path.


The above script can also be used to add a php.ini for all existing accounts.  You can create another simple script to do it called (for example) add_php_ini.sh with the following code:

#!/bin/sh
for i in `ls /usr/local/directadmin/data/users`; do
{
  username=$i /usr/local/directadmin/scripts/custom/user_create_post.sh
};
done;
exit 0;

save this new spam.sh script, chmod it to 755, and run it once.
Related:
http://www.php.net/ini.sections
Improved php.ini handling in 5.3.0


old way:

In order to setup a php.ini for each user with suPhp (installed by custombuild), edit:
/etc/httpd/conf/extra/httpd-suphp.conf

Find this line:

suPHP_ConfigPath /usr/local/etc/php5/cgi/

and comment it out by changing it to

#suPHP_ConfigPath /usr/local/etc/php5/cgi/

(just add a # in front of it).

Doing this will let suPhp be more flexible in using a different php.ini file.  By default, it will still fall back to the /usr/local/etc/php5/cgi/php.ini if nothing else is set, but by not setting it, it allows us to change it (suPhp only accepts the first call of that command).

The next step is to tell apache where to find the php.ini that you want.
Go to:
Admin Level -> Custom httpd configuration -> domain.com

Insert the following 1 line into the top textarea:

suPHP_ConfigPath |HOME|/

exactly as written, then hit save.  You can do this for as many single domains as you wish.

Note that you can also make this a global change by adding that line to the virtualhost templates using this guide:
help.directadmin.com/item.php?id=2.

Restart apache when you're done.

Don't forget to actually add a php.ini file into /home/username/php.ini and save it with root as the owner if you don't want the user changing it at all.   In that php.ini file, you can specify a custom open_basedir path, thus preventing the user from wandering about the system.  Automating a new php.ini can be done with the user_create_post.sh script.
 
Related Helpfiles
Using a custom VirtualHost template
Adding custom httpd.conf code to the VirtualHosts of a domain
Allow php scripts to work under ~username when using suPhp (custombuild)
Files uploaded with php scripts are owned by apache - how to install suPhp
I don't wish to see the hostname in my emails "on behalf of"

2003 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST