unhappy with my open_basedir directive - alternatives?

Discussion in 'Installation/Configuration' started by DantePasquale, Jul 29, 2010.

  1. DantePasquale

    DantePasquale HowtoForge Supporter

    Hi,

    I've been running an RC candidate of Gallery3 and am unhappy that I had to open up /usr/bin in the open_basedir setting for one of my sites that is using it. I really think this is a security concern, but what alternatives do we have?

    It's really a matter of where Gallery3 looks for one of the graphics packs. I'm running Ubuntu 9.10 so I downloaded and installed into /var/www/web1/usr/bin and tried to set that into open_basedir, but Gallery3 executes a 'which' command to find the package and finds it in /usr/bin -- I removed it from there, but it still won't look into /var/www/web1/usr/bin! (I think this is going to get resolved in the official release).

    Any idea on alternatives? Are my concerns justified?

    Caio, Danté
     
  2. till

    till Super Moderator

    I understand your concerns and hopefully the gallery3 developers will add a option to specify the path to external binary tools like most cms systems are doing it. What you can try is that you check if there are really security issues when you open /usr/bin for this website by trying to write something to the directory e.g. with this php snippet:

    <?php
    file_put_contents('/usr/bin/testwrite','test');
    ?>

    save the snippet as file in the gallery3 web and call it in a browser. If you find a file /usr/bin/testwrite on the shell, then it is a security problem. If not, then it should be ok to open it, at least until gallery 3 provides a option to set the path.
     

Share This Page