Hi, I noticed on all websites there is PHP open_basedir filled with a bunch of folders, which I do not know whether all those are necessary. Beside that, this seems a bit unsecure, as all of them have access to some not-chrooted and non-private locations: Code: /var/www/clients/client29/web253/web: /var/www/clients/client29/web253/tmp: /var/www/domain.com/web: /srv/www/domain.com/web: /usr/share/php: /tmp: /usr/share/phpmyadmin: /etc/phpmyadmin: /var/lib/phpmyadmin Under SERVER CONFIG --> WEB --> PHP Config there is the template: Code: [website_path]/web: [website_path]/tmp: /var/www/[website_domain]/web: /srv/www/[website_domain]/web: /usr/share/php: /tmp: /usr/share/phpmyadmin: /etc/phpmyadmin: /var/lib/phpmyadmin Questions: 1.) Does really all those need to be there for all websites? 2.) If I remove from general settings, is there a method to update ALL websites? ....or will I need to go through all 1000+ websites manually?
Good catch, @labsy. I think the intent is that you can access phpmyadmin from any website name, but that sure does open up access to phpmyadmin credentials (full access to the phpmyadmin database ... not sure where you can go with that). It would be easy enough to redirect /phpmyadmin to the server hostname or some vhost which is intended to run it (and not under client control). As for /tmp, I'd guess it's to accommodate the occasional software that blindly uses a file in /tmp, but may not be that necessary (completely untested there). Under Tools > Resync you can resync all websites, but in testing just now it does not rewrite the php configuration for them, which seems like a bug. I'd image there's a way to trigger an update via the API, maybe someone can give you a quick pointer on that.
Looking in to that a bit more, each website has it's own open_basedir setting (in retrospect: duh!), so you could update that directly in the database (web_domain.php_open_basedir) then resync all websites. Just tested, and that works. You could probably update that right in the database if your sql-foo is good enough, otherwise it'd be a pretty simple script to loop through and read/modify/update each domain in web_domain table.
SQL to update (I left tmp in there, remove it if you want): Code: update web_domain set php_open_basedir = Replace(php_open_basedir, ':/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin', ''); Then Tools > Resync > Websites
If useful for anyone, here's a apache config snippit to redirect phpmyadmin if you don't access it via the server's hostname or ip address; config location is for debian/ubuntu, adapt as needed (and change example hostname/ip): Code: cat <<EOF >/etc/apache2/conf-available/phpmyadmin_redirect.conf # This makes the '/phpmyadmin' url work on each domain # by redirecting to the local server's hostname rather than # directly running phpmyadmin to not require phpmyadmin paths # in each site's open_basedir. <LocationMatch "(?i)^/phpmyadmin(/?|/.+)$"> RewriteEngine on RewriteCond "%{HTTP_HOST}" "!^yourhostname\.example\.com" [NC] RewriteCond "%{HTTP_HOST}" "!^192\.168\.123\.45" [NC] RewriteRule (.*) https://yourhostname.example.com%{REQUEST_URI} [R=301,NE,END] </LocationMatch> EOF a2enconf phpmyadmin_redirect
