Re: Many Virtual Hosts security problem with PHP

To: Gustavo Felisberto <humpback@felisberto.net>
Cc: debian-security@lists.debian.org
Subject: Re: Many Virtual Hosts security problem with PHP
From: hpknight <hpknight@ao.net>
Date: Sat, 20 Apr 2002 21:13:59 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.21.0204202103530.23945-100000@eola.ao.net>
In-reply-to: <[🔎] 00ea01c1e8c7$a3910250$2300a8c0@blumen>

If you run php in safe mode and set your PHP open_basedir to the
DocumentRoot for the domain, then they cannot open any files outside of
that directory.  In php.ini:

safe_mode = on

Then in your <VirtualHost>:

php_admin_flag engine on
php_admin_value open_basedir "/var/www/vhosts/domain.com/htdocs:/tmp"

You may even want to leave off "/tmp" and make each user create a tmp
directory in their own directory, or move the restriction back to
/var/www/vhosts/domain.com so they can use anything inside of their domain
directory.  If you do this for every VirtualHost, you shouldn't have to
worry about users reading/writing to each other's files .. if they attempt
to open a file outside of the open_basedir, their script will die out with
an error.  There are some other safe_mode variables in the php.ini you
might want to check out too.

You will probably want to restrict cgi-script access, since this is
another way to get around chroot restrictions :)

-Henry

On Sun, 21 Apr 2002, Gustavo Felisberto wrote:

> I have a machine with many virtual hosts. Some of the virtual hosts are
> maintained by clients (we serve as web hosting company) and some are
> internal.
> The external accounts are loked out of the main fylesystem using proftpd
> chroot feature and by having /dev/null as the shell.
> My problem is that even that way users of the external group can use php's
> fopen() to open other files. And in a php/mysql enviroment is not hard to
> find files with database login/password. If i had lots of IP's i could run
> several copies of apache each one on it's ip and one for each external
> client, i would run it with the clients group and that way i could lock each
> one out of the others account. The problem is that i dont have lots of ip's,
> any ideas on how to solve this?
> 
> Gustavo Felisberto
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Many Virtual Hosts security problem with PHP
  - From: Marcel Hicking <hicking@du.gtn.com>

References:
- Many Virtual Hosts security problem with PHP
  - From: "Gustavo Felisberto" <humpback@felisberto.net>

Prev by Date: Many Virtual Hosts security problem with PHP
Next by Date: enforcing resource limits
Previous by thread: Many Virtual Hosts security problem with PHP
Next by thread: Re: Many Virtual Hosts security problem with PHP
Index(es):
- Date
- Thread