Article 13713 at 08/08/09 23:44:37 From: bq (at mark) aviaweb.com Subject: [coba-e:13713] Re: apache suexec

Index: [Article Count Order] [Thread]
Date:  Sat, 9 Aug 2008 10:44:28 -0400
From:  "Stephanie Sullivan" <bq (at mark) aviaweb.com>
Subject:  [coba-e:13713] Re: apache suexec
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <009601c8fa2e$6d2610f0$477232d0$@com>
In-Reply-To:  <0ae801c8f970$b39503c0$6601a8c0@OfficeKen>
References:  <200807311849.m6VInpS5011718 (at mark) ana.xnet.com.mx> <09bc01c8f338$a3bbef60$6601a8c0 (at mark) OfficeKen> <822d01c8f89b$702b14b0$967da8c0 (at mark) thomasferrari> <08d501c8f91d$b6ee7db0$6601a8c0 (at mark) OfficeKen> <020f01c8f91f$47efa810$967da8c0 (at mark) thomasferrari> <0ae801c8f970$b39503c0$6601a8c0 (at mark) OfficeKen>
X-Mail-Count: 13713

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Ken Marcus - Precision Web Hosting, Inc.
> [mailto:kenmarcus (at mark) precisionweb.net]
> Sent: Friday, August 08, 2008 12:06 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:13707] Re: apache suexec
> 
> ----- Original Message -----
> From: "thomas" <tfj-online (at mark) mail.tele.dk>
> To: <coba-e (at mark) bluequartz.org>
> Sent: Thursday, August 07, 2008 11:23 PM
> Subject: [coba-e:13703] Re: apache suexec
> 
> 
> > ----- Original Message -----
> > From: "Ken Marcus - Precision Web Hosting, Inc."
> >
> >> Try settings the open base dir   directories to not end with a   /
> >
> > Hi Ken,
> >
> > I'am getting the same error without the / at the end, I have also
> tried to
> > add /web, but get the same errors
> >
> >
> >
> > PHP Warning:  move_uploaded_file() [<a
> > href='function.move-uploaded-file'>function.move-uploaded-
> file</a>]:
> > open_basedir restriction in effect.
> > File(/home/sites/www.domain.com/web/tmp/com_jce_150_rc4.zip) is not
> within
> > the allowed path(s):
> >
> (/var/lib/php/session:/home/.sites/16/site186:/home/sites/www.domain.
> com:/home/tmp:/tmp:/usr/bin/pear:/usr/share/pear)
> > in /home/.sites/16/site186/web/libraries/joomla/filesystem/file.php
> on
> > line 344, referer:
> > http://www.domain.com/administrator/index.php?option=com_installer
> >
> > PHP Warning:  is_file() [<a href='function.is-file'>function.is-
> file</a>]:
> > open_basedir restriction in effect.
> > File(/home/sites/www.domain.com/web/tmp/com_jce_150_rc4.zip) is not
> within
> > the allowed path(s):
> >
> (/var/lib/php/session:/home/.sites/16/site186:/home/sites/www.domain.
> com:/home/tmp:/tmp:/usr/bin/pear:/usr/share/pear)
> > in
> /home/.sites/16/site186/web/libraries/joomla/filesystem/archive/zip.p
> hp
> > on line 127, referer:
> > http://www.domain.com/administrator/index.php?option=com_installer
> >
> > --
> > Thomas Jensen
> 
> Thomas
> 
> You could add the directory location without the  .zip on the end,
> from the
> error message to your list of allowed urls.
> 
> 
> 
> ----
> Ken Marcus
> Ecommerce Web Hosting by
> Precision Web Hosting, Inc.
> http://www.precisionweb.net
> 

Thomas,

The open_basedir directive RESTRICTS opening files. Removing it removes
restrictions. It is commented out by default in the nuonce package php.ini
and the /etc/admserv php.ini

So it only helps restrict access, it does not enable access. It limits
access to the specified directories.

With respect to the group ownership... do you have a apache group? grep
apache /etc/group

- From the PHP online manual:
http://us.php.net/manual/en/features.safe-mode.php#ini.open-basedir

open_basedir string 
Limit the files that can be opened by PHP to the specified directory-tree,
including the file itself. This directive is NOT affected by whether Safe
Mode is turned On or Off. 

When a script tries to open a file with, for example, fopen() or gzopen(),
the location of the file is checked. When the file is outside the specified
directory-tree, PHP will refuse to open it. All symbolic links are resolved,
so it's not possible to avoid this restriction with a symlink. If the file
doesn't exist then the symlink couldn't be resolved and the filename is
compared to (a resolved) open_basedir . 

The special value . indicates that the working directory of the script will
be used as the base-directory. This is, however, a little dangerous as the
working directory of the script can easily be changed with chdir(). 

In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts)
the same way as any other configuration directive with "php_admin_value
open_basedir none". 

Under Windows, separate the directories with a semicolon. On all other
systems, separate the directories with a colon. As an Apache module,
open_basedir paths from parent directories are now automatically inherited. 

The restriction specified with open_basedir is actually a prefix, not a
directory name. This means that "open_basedir = /dir/incl" also allows
access to "/dir/include" and "/dir/incls" if they exist. When you want to
restrict access to only the specified directory, end with a slash. For
example: "open_basedir = /dir/incl/" 

The default is to allow all files to be opened. 


PS:
Bottom posting - blah - I when I follow a thread I know the question. It's
an annoyance to have to scroll to the bottom of the page to see a three line
reply. Just my opinion. :-)





-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: us-ascii

wj8DBQFIna1MRmFh0h8+YHsRAryxAJsGpl1b2w6WaUTZmAKxy4iXcwhV4wCg2Rip
34oRDUWwNyOmlZT6M9lM1mg=
=03fG
-----END PGP SIGNATURE-----