I found out security in Directadmin can be better.
My solution is to use custom php.ini for every domain with openbasedir to the domainfolder.
Also I use a custom phptmp directory for every domain, so that users can't access temp files from other users or domains.
The php.ini files are write protected with chattr, so that users (even root) can't edit it with ftp or ssh.
I advice you to keep it this way, so that users can't change open_basedir and hack into directories from other users.
This is tested in Debian Etch, use at your own risk!
First of all build custombuild with suPHP:
Replace:
With:
Run the custombuild script:
Replace:
With:
(in other words comment it out)
Note: I found out that after each rebuild of custombuild, you have to uncomment this again.
Once you've copied the 4 VirtualHost files (or just the ones you want) to the custom directory, you can then edit the new files you've just copied. DirectAdmin will always check for the custom file before going to the default ones. Failure to copy the virtual_host*.conf files to the custom directory before modifying them will result in a loss of all changes when DirectAdmin updates itself (the files are overwritten). Note that there are actually 8 virtual_host files, but you only need to worry about the 4 that apply to you. The files with the 2 in them are for apache 2.x. The ones without the 2 in them are for apache 1.3.
Change:
to:
Repeat this for al 4 VirtualHost files.
Let directadmin rewrite all http configs:
Now we create the custom scripts:
Create the following files:
domain_change_post.sh:
domain_change_pre.sh:
domain_create_post.sh
domain_destroy_pre.sh
user_create_post.sh
user_destroy_pre.sh
Do chmod +x for all these files.
Now the last step is to edit your standard php.ini.
This one is used for the http://ip/~userdir so we need to customise it.
[EDIT]
Note that with suPHP you can't run php scripts from http://ip/~userdir without switching suPHP from paranoid to owner mode!
http://help.directadmin.com/item.php?id=176
I advice to stay at paranoid mode, I just don't use php scripts at http://ip/~userdir.
The reason for this is that I've read about some security problems with owner mode somewhere on the net.
[/EDIT]
(Remember that the above custom scripts require these exact settings for the replace functions to work)
Now restart directadmin:
Done.
I also have a script for you to regenerate al user dirs and files, this is handy if you need to update all php.ini for example.
My solution is to use custom php.ini for every domain with openbasedir to the domainfolder.
Also I use a custom phptmp directory for every domain, so that users can't access temp files from other users or domains.
The php.ini files are write protected with chattr, so that users (even root) can't edit it with ftp or ssh.
I advice you to keep it this way, so that users can't change open_basedir and hack into directories from other users.
This is tested in Debian Etch, use at your own risk!
First of all build custombuild with suPHP:
Code:
vi /usr/local/directadmin/custombuild/options.conf
Code:
php5_cli=yes
php5_cgi=no
With:
Code:
php5_cli=no
php5_cgi=yes
Run the custombuild script:
Code:
cd /usr/local/directadmin/custombuild
./build clean
./build all
Code:
vi /etc/httpd/conf/extra/httpd-suphp.conf
Replace:
Code:
suPHP_ConfigPath /usr/local/etc/php5/cgi/
With:
Code:
#suPHP_ConfigPath /usr/local/etc/php5/cgi/
Note: I found out that after each rebuild of custombuild, you have to uncomment this again.
Code:
cd /usr/local/directadmin/data/templates
cp virtual_host*.conf custom
cd custom
Once you've copied the 4 VirtualHost files (or just the ones you want) to the custom directory, you can then edit the new files you've just copied. DirectAdmin will always check for the custom file before going to the default ones. Failure to copy the virtual_host*.conf files to the custom directory before modifying them will result in a loss of all changes when DirectAdmin updates itself (the files are overwritten). Note that there are actually 8 virtual_host files, but you only need to worry about the 4 that apply to you. The files with the 2 in them are for apache 2.x. The ones without the 2 in them are for apache 1.3.
Change:
Code:
|*if SUPHP="1"|
suPHP_Engine |PHP|
suPHP_UserGroup |USER| |GROUP|
|*endif|
to:
Code:
|*if SUPHP="1"|
suPHP_Engine |PHP|
suPHP_UserGroup |USER| |GROUP|
suPHP_ConfigPath |HOME|/domains/|DOMAIN|/
|*endif|
Repeat this for al 4 VirtualHost files.
Let directadmin rewrite all http configs:
Code:
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
Now we create the custom scripts:
Code:
mkdir -p /usr/local/directadmin/scripts/custom/
cd /usr/local/directadmin/scripts/custom/
Create the following files:
domain_change_post.sh:
Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
USERPHPINI=/home/$username/domains/$newdomain/php.ini
mkdir -p /home/$username/domains/$newdomain/phptmp
cp $DEFPHPINI $USERPHPINI
perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/$username\/domains\/$newdomain\//g" $USERPHPINI
perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/$username\/domains\/$newdomain\/phptmp\//g" $USERPHPINI
perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/$username\/domains\/$newdomain\/phptmp\/\"/g" $USERPHPINI
chown -R $username:$username /home/$username/domains/$newdomain
chmod -R 755 /home/$username/domains/$newdomain
chattr +i $USERPHPINI
domain_change_pre.sh:
Code:
#!/bin/sh
chattr -i /home/$username/domains/$domain/php.ini
domain_create_post.sh
Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
USERPHPINI=/home/$username/domains/$domain/php.ini
mkdir -p /home/$username/domains/$domain/phptmp
cp $DEFPHPINI $USERPHPINI
perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/$username\/domains\/$domain\//g" $USERPHPINI
perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/$username\/domains\/$domain\/phptmp\//g" $USERPHPINI
perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/$username\/domains\/$domain\/phptmp\/\"/g" $USERPHPINI
chown -R $username:$username /home/$username/domains/$domain
chmod -R 755 /home/$username/domains/$domain
chattr +i $USERPHPINI
domain_destroy_pre.sh
Code:
#!/bin/sh
chattr -i /home/$username/domains/$domain/php.ini
user_create_post.sh
Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
for d in `cat /usr/local/directadmin/data/users/$username/domains.list`; do
{
USERPHPINI=/home/$username/domains/${d}/php.ini
mkdir -p /home/$username/domains/${d}/phptmp
cp $DEFPHPINI $USERPHPINI
perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/$username\/domains\/${d}\//g" $USERPHPINI
perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/$username\/domains\/${d}\/phptmp\//g" $USERPHPINI
perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/$username\/domains\/${d}\/phptmp\/\"/g" $USERPHPINI
chattr +i $USERPHPINI
};
done;
chown -R $username:$username /home/$username
chmod -R 755 /home/$username
user_destroy_pre.sh
Code:
#!/bin/sh
for d in `cat /usr/local/directadmin/data/users/$username/domains.list`; do
{
chattr -i /home/$username/domains/${d}/php.ini
};
done;
Do chmod +x for all these files.
Now the last step is to edit your standard php.ini.
This one is used for the http://ip/~userdir so we need to customise it.
[EDIT]
Note that with suPHP you can't run php scripts from http://ip/~userdir without switching suPHP from paranoid to owner mode!
http://help.directadmin.com/item.php?id=176
I advice to stay at paranoid mode, I just don't use php scripts at http://ip/~userdir.
The reason for this is that I've read about some security problems with owner mode somewhere on the net.
[/EDIT]
(Remember that the above custom scripts require these exact settings for the replace functions to work)
Code:
vi /usr/local/etc/php5/cgi/php.ini
Code:
open_basedir = /var/www/html/:/tmp/
disable_functions = dl,exec,passthru,proc_open,proc_close,shell_exec,system
;upload_tmp_dir =
;session.save_path = "/tmp"
Now restart directadmin:
Code:
/etc/init.d/directadmin restart
Done.
I also have a script for you to regenerate al user dirs and files, this is handy if you need to update all php.ini for example.
Code:
#!/bin/sh
DEFPHPINI=/usr/local/etc/php5/cgi/php.ini
for i in `ls /usr/local/directadmin/data/users`; do
{
for d in `cat /usr/local/directadmin/data/users/${i}/domains.list`; do
{
USERPHPINI=/home/${i}/domains/${d}/php.ini
mkdir -p /home/${i}/domains/${d}/public_html/cgi-bin
mkdir -p /home/${i}/domains/${d}/private_html
mkdir -p /home/${i}/domains/${d}/public_ftp
mkdir -p /home/${i}/domains/${d}/stats
mkdir -p /home/${i}/domains/${d}/logs
mkdir -p /home/${i}/domains/${d}/phptmp
chattr -i $USERPHPINI
rm -r $USERPHPINI
cp $DEFPHPINI $USERPHPINI
perl -pi -e "s/open_basedir =\/var\/www\/html\/:\/tmp\//open_basedir =\/home\/${i}\/domains\/${d}\//g" $USERPHPINI
perl -pi -e "s/;upload_tmp_dir =/upload_tmp_dir =\/home\/${i}\/domains\/${d}\/phptmp\//g" $USERPHPINI
perl -pi -e "s/;session.save_path = \"\/tmp\"/session.save_path =\"\/home\/${i}\/domains\/${d}\/phptmp\/\"/g" $USERPHPINI
chattr +i $USERPHPINI
};
done;
mkdir -p /home/${i}/backups
chown -R $i:$i /home/${i}
chmod -R 755 /home/${i}
};
done;
/etc/init.d/httpd restart
exit 0;
Last edited: