9 replies to this topic

[OpaQue]

Faster and Secured Hosting.

ComputingHost will be activating open_basedir permissions on all its servers. Previously, we had it active on only a few select servers, however to make our hosting envoirment secure, We have now decided to activate it throughout our cluster.

Some of you might be wondering, What is open_basedir protection exactly?

Open_basedir limits the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.

If you try to open a file using your PHP program, you can open files only in PRESENT directory where your PHP program is OR sub-directories. So, suppose your php program is at :-

user1/www/mysite/myPhpProgram.php

You can open files and work with them using PHP in these locations:-

user1/www/mysite/ -> present folder
user1/www/mysite/subsite/ -> sub-folder
user1/www/mysite/subsite/subsubdir/ -> sub-sub-folder

You cannot open files in these locations :-

user1/www/ -> parent folder not allowed
/user2/www/HISsite/ -> other user folder not allowed, even if it has 777 permission --> [CASE-A]

Consider CASE-A.

With OpenBase_dir Protection ON:

You being the programmer are not allowed to VIEW "user2's" file. You are given an error in PHP saying, open_basedir protection enabled.

If you are user2 here with folder "HISsite" (permission 777), You get safe because someone could had accessed your FOLDER "HISsite" and tampered with its contents, created files, folders, modified your content etc.

With OpenBase_dir Protection OFF:

With Protection OFF, anyone can access ANY of your folders and files with permission 777. This permission is usually given to PHP config files, folders were user contents are uploaded by your program like "uploads", "cache" etc.

A simple fopen and fwrite function can be used to Inject Code or data into your files. And much more can be done to abuse this power.

When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. If the file doesn't exist then the symlink couldn't be resolved and the filename is compared to (a resolved) open_basedir .

The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir().

What if my PHP files are already using/including files from parent folder?

Good Question. The answer is, They will fail.
You will have to upgrade your script to better versions.

But, open_basedir is not something new and all php developers know about it. So, the amount of programs failing should be very rare.

Still, I am one of those rare cases? Now what ??

Don't worry, Contact us at http://www.xistosupport.com.
Select the Right Dept. and Send us a support ticket.

We will take care of your situation. (applicable only to Paid Web Hosting Members only)

Okay, thanks Shree for explaining open_basedir, Now I know what open_basedir is,
so what is eAccelerator all about?

eAccelerator is a PHP accelerator derived from the MMCache extension for the PHP programming language. eAccelerator provides a bytecode cache and encoder. eAccelerator is open source and thereby free to use and distribute.

Every time a PHP script is accessed, PHP usually parses and compiles scripts to bytecode. Once installed, eAccelerator optimizes the compiled bytecode and caches this to shared memory or disk. Upon subsequent accesses to a script, eAccelerator will access cached bytecode if it is available instead of the script being compiled. This avoids the performance overhead of repeated parsing and compilation.

eAccelerator also provides functions for use in PHP scripts that allow access to shared memory, automatic web (content) caching, and other related tasks.

and... How does this eAccelerator affect me?

Simple, If you logon to your PHP forums/gallery or other application and say, "WHOA! That was FAST!". You can give the credits to eAccelerator! :-)

I hope, you appreciate and support our decisions. We thank you again for choosing ComputingHost as your hosting provider.:-)

Regards,

Shree
Xisto Corporation

NEWS ARTICLE: http://www.xistosupport.com/index.php?_m=n...p;group=default

[Forbez]

Oooo, this looks very intresting. Good job guys, i'll be using this .

[Saint_Michael]

Although I don't have a computinghost account the open_basedir still a little confusing even after reading the FAQ, and so I try to break it down this way base on the info from the FAQ. Say if your using several scripts say like a counter, download script, and a gallery, I would have to put everything under one folder in order for everything to work instead of separate files?

The next part that confuses me is the user folder and so I try to break it down this way. So basically if your doing mini hosting under your account the admin is literally locked out of those folders then? Or are the people outside the cpanel admin unable to log in and unable to get into the account without the password?

[chrisranjana.com]

Kudos now hosting will be more secure using Open_basedir

[OpaQue]

Saint_Michael, on Feb 25 2008, 02:27 AM, said:

Although I don't have a computinghost account the open_basedir still a little confusing even after reading the FAQ, and so I try to break it down this way base on the info from the FAQ. Say if your using several scripts say like a counter, download script, and a gallery, I would have to put everything under one folder in order for everything to work instead of separate files?

The next part that confuses me is the user folder and so I try to break it down this way. So basically if your doing mini hosting under your account the admin is literally locked out of those folders then? Or are the people outside the cpanel admin unable to log in and unable to get into the account without the password?

I have updated the topic. I think I know where you got confused

[jlhaslip]

Opaque,
Thanks for continuing to provide a secure Hosting environment for us, and for continuing to provide the service.

Great job.

question about the eAccelerator... what sort of time does the Server cache the pages for? Can a re-load or CTL-reload of the Browser over-ride the cached version?
The reason I ask is: I am adjusting some css files and they do not appear to be working properly. Just curious if perhaps the caching at the server might be the issue?

[OpaQue]

jlhaslip, on Feb 27 2008, 01:57 AM, said:

Opaque,
Thanks for continuing to provide a secure Hosting environment for us, and for continuing to provide the service.

Great job.

question about the eAccelerator... what sort of time does the Server cache the pages for? Can a re-load or CTL-reload of the Browser over-ride the cached version?
The reason I ask is: I am adjusting some css files and they do not appear to be working properly. Just curious if perhaps the caching at the server might be the issue?

The caching happens server side and refresh will work perfectly. It will in no way affect CSS :-)

[leiaah]

I'm experiencing open_basedir restrictions in qupis since yesterday and I can't view my site. Am I suppose to configure something or put additional codes in my pages? Sorry I'm kinda new to open_basedir.

[Scream]

Okey, my site hasn't been working for few days already.
I receive error
Unknown: open_basedir restriction in effect. File(/home/ssscream/public_html/forum/index_.php) is not within the allowed path(s): (1)
Why open_basedir is set to 1?

http://ua2.php.net/features.safe-mode said:

open_basedir
Limit the files that can be opened by PHP to the specified directory-tree, including the file itself.
The restriction specified with open_basedir is actually a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "open_basedir = /dir/incl/"

As I understand, there should be a path to the allowed folder.
So if I create file /home/ssscream/public_html/1/1/1/1/1/1/1/1.php ,it will work, all other files don't work.

OpaQue, on Feb 24 2008, 09:37 AM, said:

If you try to open a file using your PHP program, you can open files only in PRESENT directory where your PHP program is OR sub-directories.

Tell me please which directory is PRESENT for me in the case of open_basedir = 1.

Edited by Scream, 05 March 2008 - 10:19 AM.

[Carson]

I'm thinking about moving hosts now. My Site and my forum are integrated, so users can use both the site and forum with one account. With this restriction it's not possible anymore. I'm so disappointed, this is very important for my site. What am I going to do now...