RE: Many Virtual Hosts security problem with PHP

To: Gustavo Felisberto <humpback@felisberto.net>, hpknight <hpknight@ao.net>
Cc: debian-security <debian-security@lists.debian.org>
Subject: RE: Many Virtual Hosts security problem with PHP
From: Arild Evensen <arievens@online.no>
Date: Sun, 21 Apr 2002 08:57:58 +0200
Message-id: <[🔎] 3CC287BC@epostleser.online.no>

You can also put other directives in <Virtualhost> section, like
<Directory>
Addtypes for scripting and other file types.
Override settings for .htaccess.
Other php related settings.(includepath, sendmail from, upload tmp dir,..)
errdoc,...

Keep ftp root over www root, gives you a private space to have includefiles, 
tmp directory, logfiles, maildir, files with password and other sensitive 
settings outside www root
(ftp-root /var/www/virtual/customer1/
 www-root /var/www/virtual/customer1/www )

Gives you a strong control over each virtualhost.

But it gives you some more administration.

Use one file for eache virtualhost and use include /fiele to run all 
configurationsfile from that directory.

And in 2.X versions you can have user directive in each virtualhost, if i 
recall correct.



>===== Original Message From hpknight <hpknight@ao.net> =====
>If you run php in safe mode and set your PHP open_basedir to the
>DocumentRoot for the domain, then they cannot open any files outside of
>that directory.  In php.ini:
>
>safe_mode = on
>
>Then in your <VirtualHost>:
>
>php_admin_flag engine on
>php_admin_value open_basedir "/var/www/vhosts/domain.com/htdocs:/tmp"
>
>You may even want to leave off "/tmp" and make each user create a tmp
>directory in their own directory, or move the restriction back to
>/var/www/vhosts/domain.com so they can use anything inside of their domain
>directory.  If you do this for every VirtualHost, you shouldn't have to
>worry about users reading/writing to each other's files .. if they attempt
>to open a file outside of the open_basedir, their script will die out with
>an error.  There are some other safe_mode variables in the php.ini you
>might want to check out too.
>
>You will probably want to restrict cgi-script access, since this is
>another way to get around chroot restrictions :)
>
>-Henry
>
>On Sun, 21 Apr 2002, Gustavo Felisberto wrote:
>
>> I have a machine with many virtual hosts. Some of the virtual hosts are
>> maintained by clients (we serve as web hosting company) and some are
>> internal.
>> The external accounts are loked out of the main fylesystem using proftpd
>> chroot feature and by having /dev/null as the shell.
>> My problem is that even that way users of the external group can use php's
>> fopen() to open other files. And in a php/mysql enviroment is not hard to
>> find files with database login/password. If i had lots of IP's i could run
>> several copies of apache each one on it's ip and one for each external
>> client, i would run it with the clients group and that way i could lock 
each
>> one out of the others account. The problem is that i dont have lots of 
ip's,
>> any ideas on how to solve this?
>>
>> Gustavo Felisberto
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact 
listmaster@lists.debian.org
>>
>
>
>--
>To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-
Arild Evensen
-


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Prev by Date: enforcing resource limits
Next by Date: Re: Iptables config
Previous by thread: Re: enforcing resource limits
Next by thread: Lütfen Yardým edin...Çok önemli...
Index(es):
- Date
- Thread