Portal Home > Knowledgebase > Articles Database > Is it safe to put /usr/local/bin in basedir?
Is it safe to put /usr/local/bin in basedir?
| Posted by AndyB78, 11-07-2007, 10:42 AM |
| Hello,
I am trying to assist a customer install a Dolphin CMS but it returns some "open_basedir restriction in effect" on /usr/local/bin/php (it needs the path to the PHP binary).
If I put /usr/local/bin/php in httpd.conf -> php_admin_value open_basedir "..." it seems to work and it finds the required binary but...is this safe?
Thanks and regards!
Last edited by AndyB78; 11-07-2007 at 10:57 AM.
Reason: further details
|
| Posted by Patrick, 11-07-2007, 12:08 PM |
| There's nothing bad about allowing access to the /usr/local/bin directory, but I find it strange that the CMS requires direct access to the PHP binary. Have you tried creating a symlink and see if that allows you to bypass the open_basedir restriction?
Example:
ln -s /usr/local/bin/php /home/user/public_html/php
Then specify the PHP binary location as: /home/user/public_html/php
|
| Posted by AndyB78, 11-07-2007, 12:45 PM |
| Thanks for your answer.
Well...this script is a bit strange meaning that it tries to find the binary where it thinks it should be, if it doesn't work it returns an error and gives you the possibility to enter the right path and when you press next it just goes on without checking if the new path is correct or not so I have no idea if the symlink works or not.
I am not sure if it needs direct access to the binary...maybe it just wants to check the location.
Also I thought you can't bypass a basedir restriction with a symlink.
Regards!
|
| Posted by RBBOT, 11-07-2007, 02:32 PM |
| You could hard link it, or just copy it.
|
| Posted by gogocode, 11-07-2007, 08:31 PM |
| If the server is properly managed, turn open_basedir off, it's worthless security anyway if the users can also use other scripting technology like perl (or for that matter, shell).
The CMS may need to get to the cli php so it can lint, or run cron jobs locally etc.
|
| Posted by david510, 11-08-2007, 02:09 AM |
| AndyB78,
For a user to run a php script, there is no need of adding the /usr/local/bin/php to the open_basedir path. When a php script tries to access a path /usr/local/bin/, it will return open_basedir error. And it is dangerous to allow this path in the open_basedir protection.
|
| Posted by Patrick, 11-08-2007, 10:22 AM |
| It's not an ideal solution, but I wouldn't go as far as calling it dangerous. I'm sure you know there are plenty of ways to get around the open_basedir protection and half the time it doesn't even work...
In a situation like this where the software needs a direct path to the PHP binary, I would say symlink if possible or allow the directory to be accessed... with sym / hard link being the preferred method.
|
| Posted by AndyB78, 11-08-2007, 11:52 AM |
| Maybe David knows plenty of ways to get around it but I don't. However I am more interested in when exactly doesn't work and when it does work. Could you elaborate on this one?
Thanks to all that took the time the reply!
|
| Posted by ServerSurgeon George, 11-08-2007, 12:39 PM |
| It requires access to /usr/local/bin/php because PHP is either running as fcgi or using su_php.
To fix this it's easier to set open_basedir to "none"
|
| Posted by AndyB78, 11-08-2007, 12:53 PM |
| PHP is installed as apache module but su_php...what is this? Sorry for the noob question...
|
| Posted by ServerSurgeon George, 11-08-2007, 12:55 PM |
| In this case it should not need open_basedir allowed to /usr/local/bin
su_php is a way to run each php script as the user that owns it
|
Add to Favourites 
Print this Article
Also Read
