Open_basedir for Joomla Security


#1

I have a simple Joomla site and now am trying to improve security before it gets hacked. One of the things mentioned is to use open_basedir to prevent one shared user from accessing files of another shared user on the same server.

Now here is where I’m confused. Dreamhost Wiki implies open_basedir is setup but php_info shows it as “no value”. So is it really set on Dreamhost and how can I verify it?

Tim


#2

It’s great that you are going the “extra mile” in attempting to insure that your site is a “hardened” as possible, and I also have seen that “mention” of using “open_basedir to prevent one shared user from accessing files of another shared user on the same server,” but I’m not sure it is the “best” advice for every situation. :wink:

Often, such recommendations presume certain configurations and, therefore, are not appropriate in every setup. In my previous experience on DreamHost, open_basedir being set has been extremely problematic and unreliable in actual use. It just didn’t work reliably, sometimes allowed writing to files it shouldn’t have while other times preventing writing to files that were in the proper path.

There is some discussion of open_basedir in the DreamHost wiki which confirms my experience. If you review the PHP documentation on open_basedir, I think you will agree that the restrictions open_basedir is designed to provide are actually already met as a result of PHP-CGI running under suexec (assuming you have set your permissions properly).

Since DreamHost runs PHP-CGI under suexec, there is no need to set your permissions on any file less restrictively than 755 in order for PHP to properly write to a file, which means you no longer need to have any “777” or “666” files or directories so the scripts can write to them. It is primarily in such situations that open_basedir (and some other “safe_mode” related types of things) might be desirable to try to add some additional security. Having your files only writable by your own user basically eliminates the need for such things and is, IMO, a much better way to approach the potential problem. PHP’s documentation seems to agree with me to some degree (" It is architecturally incorrect to try to solve this problem at the PHP level…"), and safe_mode itself is to be dropped in PHP 6.

The only “implication” I could find re. open_basedir being “setup” is in reference to running mod_php (which is not “casually” available any more on DreamHost)).

You are correct that, per phpinfo, open_basedir is not set by default on DreamHost’s PHP installation and that is how you would verify it!). If you really want to enable its use, you could compile your own PHP or use your own version of php.ini with a copied version of DreamHost’s php setup for your own user and implement it yourself (all that is described in the wiki, and discussed to death on these forums).

In my opinion, DreamHost’s current setup running PHP-CGI under suexec more than compensates for any additional protection open_basedir might provide and, given the unpredictable behavior I have experienced using open_basedir, I advise you “just say no” when it comes to implementing it for your Joomla! site. DreamHost’s suexec environment is actually a better security model. :wink:

–rlparker


#3

Thank-you so much for taking the time to post and explain things. I’m new to servers, Joomla, etc and have been trying to secure my site to maybe prevent the “I’ve been hacked” message! Here are some related security questions.

  1. Since directories only need 755 access and files only need 644, should I go to Joomla/Site Globals/Server and apply to existing directories and files?

  2. Under Site Globals, I get the following “error”.

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

  • PHP magic_quotes_gpc setting is OFF instead of ON

Should I add something to htaccess.txt?

  1. Is it okay to have a htaccess.txt file instead of .htaccess? I saw a reference somewhere that .htaccess isn’t even read in Apache CGI mode or something like that.

  2. I read somewhere that PHP display_errors should be OFF but it is ON at Dreamhost. Comments?

  3. I read somewhere that PHP enable_dl should be OFF but it is ON at Dreamhost. Comments?

  4. I read somewhere that PHP log_errors should be ON but it is OFF at Dreamhost. Comments?

  5. If I haven’t worn you out yet, I need backup software. I’ve installed Joomla Pack, which backs up the database and files, however, it seems to backup directories that were told to be excluded which makes for a large backup (lots of photos). In short, I’d like to backup the Joomla database and any Joomla changes after installation (Ex. Joomla content, formatting for pages, etc). That is, Joomla is a one-click install so no real need to backup unchanged files and no need to backup my photo content since the original content is on my local PC.

Tim


#4

You are welcome, and I’m glad some of that response was helpful to you.

As for your remaining questions, it will help me know how to best and most accurately answer if I know what version of Joomla! you are using, and whether you installed it yourself or via a “one-click” install from the DreamHost Control Panel (this is relevant because how the application was installed could result in different answers for some of your questions) :wink:

–rlparker


#5

I believe that you must use .htaccess files… When you install Joomla!, you would find a file called htaccess.txt. This would only be a template for the “real” .htaccess. So for the htaccess to work, you would have to rename htaccess.txt into .htaccess otherwise… there is no point to have the htaccess file (other than… say a reference for some point in time… yeah…)

Hope this helps


#6

Actually, it is completely dependent on whether or not you need (or desire) an .htaccess file to do anything or not.

You will need to rename the supplied htaccess.txt to .htaccess if you wish to use SEF from the Joomla! back end, or other SEF modules, or if you want to control access to the whole site via apache http authentication (in which case you would also need to modify it from what is provided), as examples.

If you don’t use those, the standard Joomla! install needs no .htaccess file at all. :wink:

–rlparker


#7

Joomla was installed using one-click and I recently upgraded to 1.0.13 using the panel “upgrade” button. Very handy!

Tim


#8

Okay! Thanks for that information. I’ll give a shot at addressing some of your questions:

I can’t find that option at all in Joomla! 1.0.13, so I am a bit at a loss as to how to answer you. Under the “Site -> Global Configuration -> Server” screen of the Joomla! admin section, you do have the ability to determine how new files permissions are handled, and those should be set to "Dont CHMOD new files/dirs (use server defaults):. They should already be properly set for DreamHost (644 for files and 755 for dirs) by virtue of DreamHost’s umask settings and the installation process. Leave this alone.

That is not an “error” it is a “warning” that is much more relevant to users in a particular situation (see [this DH wiki article on DH configuration and Joomla!). There is additional information in this DH wiki article on Magic_quotes, including how to change the setting if that warning message bothers you. Generally speaking, you should have no problem, security or otherwise, with the default DH setting for this. WHeter or not you elect to change that setting is up to you, but you cannot doi ti via .htaccess at any rate (see the previously referenced links).

That question has already been answered in another post in this thread. .htaccess.text is just a “pre-prepared” .htaccess file that you can use “as is” if you need to implement the SEF urls section of the Global Configuration. You only need an .htaccess file if you are going to place some directives into it. I don’t know the details of the reference that you saw elsewhere, but I suspect the context in which you were reading had to do with certain PHP directives not working with PHP-CGI. ,htaccess files are read by the server when serving a page and many things can be done with directives in an .htaccess file, though those things differ whether you are running PHP as an apache module (mod_php) or as PHP-CGI (as it is by default on DreamHost.) Google can help you find out more about all of that, or it is a subject for another thread. :wink:

[quote]4. I read somewhere that PHP display_errors should be OFF but it is ON at Dreamhost. Comments?

  1. I read somewhere that PHP enable_dl should be OFF but it is ON at Dreamhost. Comments?

  2. I read somewhere that PHP log_errors should be ON but it is OFF at Dreamhost. Comments?[/quote]
    All these choices are matter of personal choice, though the control of what errors are displayed is an important part of any “security through obscurity” concept. Frankly, once your site is deployed, it should be error free, and I have no problem with DreamHost’s default setting in these areas. You can, of course, change then as you see fit by installing your own version of PHP or using a copy of DreamHost’s PHP and your own php.ini file (see the wiki for instruction on each of these optioins).

I’ve never found the need for any additional back-up software other than the traditional *nix tools - sftp, rsync, wget, tar, etc. You can always dump/export you database via phpMyAdmin or other tools, and back up the code for your site via the tools I’ve already mentioned. If you find Joomla Pack to be useful, I say “go for it”. You can also use automated back-up scripts (see the wiki) if you want to use traditional back-up methods with reduced interactivity.

Whew! Hopefully, that has answered some of your questions. In the future, please consider giving each question (at least those that are unrelated) its own thread, as it makes it a lot easier to address them “one at a time” and makes it easier for others searching for similar answers to identify a relevant post, eh? :wink:

–rlparker