How to Restrict PHP Scripts

2025-04-21

I have a dilemma: I need to restrict hosting customers so that their PHP scripts are only able to access or include files from their personal directories. I use cPanel/WHM; each of my clients' directories are /home/[USERNAME]. I have thought of using open_basedir - however, this will be problematic because I will have to either insert a unique open_basedir in each of the VirtualHosts in httpd.conf or modify cPanel/WHM's account creation script (/scripts/wwwacct) to do it automatically. I was wondering if you can use a wildcard in a PHP configuration value in the following way:

Code:

php_admin_value open_basedir "/home/*"

Also, I have another question. I have a special customer signup system that I use that includes a config file with database information. I have modified the cPanel frontend so that it is able to query this database info and show it to the user within cPanel. However, as you would guess, it needs the config file. However, when I try to access the file, I get this error:

Code:

Warning: main(/home/djbob/public_html/signup/functions.php): failed to open stream: Permission denied in /tmp/cpanel_phpengine.1142557952.18984614.260966694964 on line 12

Note how the cPanel PHP engine copies the PHP file into /tmp/ before running it. Does /tmp/ have any bad permissions I should know about? Regardless, I would like to have cPanel be able to access this directory. How do I go about doing this? If it is not possible, would it be smart ot stick my signup solution into a directory in the cPanel frontend, and then make a ScriptAlias/Alias for URL access?

Thanks for helping!