Cpanel's "tweak security" offers a menu option to turn on open_basedir on a per user basis.

Litespeed doesn't seem to obey cpanel (not surprisingly as cpanel is probably writing php.ini in another directory)

How do I enable this manually?
Any issues to consider under LiteSpeed vs apache?

Tweak php open_basedir Security

php open_basedir Protection

Php's open_basedir protection prevents users from opening files outside of their home directory with php.

cPanel override "open_basedir" for each virtual host in httpd.conf, it is honored by LiteSpeed, Please check it via a phpinfo page.

Well you are right, it's in phpinfo

However if I remember correctly under apache+php if you try something as simple as this, it should fail as it's trying to read a path outside the owner's own folder

echo file_get_contents('/proc/loadavg');

lsws+php+open_basedir is allowing it to happen without error

As I knew, it is a bug in PHP 4.4.6, but PHP team won't fix it, you can check PHP's bug reports.

Same thing will happen with Apache mod_php.

Ah my apologies then.
I could have sworn it failed under my apache+php which was 4.4.6

Later tonight when traffic is slower I will switch back to apache temporarily just to double check (and see what php version I am actually running under that)

Was I at least right about the /~username issue?

There is a thread in webhostingtalk about PHP 4.4.6 + Apache, http://www.webhostingtalk.com/showthread.php?t=601125

We are investigating the user dir issue.

PHP 4.4.7 has been released, it might be fixed.

Please forgive my ignorance, for a php upgrade do we upgrade though your installer? So basically we have to wait until you make a package 4.4.7 ? (not rushing you, just trying to understand the process)

You'd better building your own PHP binary, just follow tutorial in our wiki.
It is the only way to get it up-to-date as early as you can.
Make sure to uninstall eAccelerator before upgrade PHP to another version, then install it again after the upgrade.

I owe you an apology.

Apparently open_basedir *is* working, it's just that unlike apache, the error is not being thrown to the http output?

I just noticed this in the lsws logs:
[STDERR] PHP Warning: file_get_contents() [<a href='function.file-get-contents'>function.file-get-contents</a>]: open_basedir restriction in effect. File(/proc/loadavg) is not within the allowed path(s): (/home/example/:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/example/public_html/phpinfo/index.php on line 5

So it's working just fine.
Just not seeing the error in the browser which threw me.
Is that a php.ini option I might be missing?