RE: Many Virtual Hosts security problem with PHP
You can also put other directives in <Virtualhost> section, like
<Directory>
Addtypes for scripting and other file types.
Override settings for .htaccess.
Other php related settings.(includepath, sendmail from, upload tmp dir,..)
errdoc,...
Keep ftp root over www root, gives you a private space to have includefiles,
tmp directory, logfiles, maildir, files with password and other sensitive
settings outside www root
(ftp-root /var/www/virtual/customer1/
www-root /var/www/virtual/customer1/www )
Gives you a strong control over each virtualhost.
But it gives you some more administration.
Use one file for eache virtualhost and use include /fiele to run all
configurationsfile from that directory.
And in 2.X versions you can have user directive in each virtualhost, if i
recall correct.
>===== Original Message From hpknight <hpknight@ao.net> =====
>If you run php in safe mode and set your PHP open_basedir to the
>DocumentRoot for the domain, then they cannot open any files outside of
>that directory. In php.ini:
>
>safe_mode = on
>
>Then in your <VirtualHost>:
>
>php_admin_flag engine on
>php_admin_value open_basedir "/var/www/vhosts/domain.com/htdocs:/tmp"
>
>You may even want to leave off "/tmp" and make each user create a tmp
>directory in their own directory, or move the restriction back to
>/var/www/vhosts/domain.com so they can use anything inside of their domain
>directory. If you do this for every VirtualHost, you shouldn't have to
>worry about users reading/writing to each other's files .. if they attempt
>to open a file outside of the open_basedir, their script will die out with
>an error. There are some other safe_mode variables in the php.ini you
>might want to check out too.
>
>You will probably want to restrict cgi-script access, since this is
>another way to get around chroot restrictions :)
>
>-Henry
>
>On Sun, 21 Apr 2002, Gustavo Felisberto wrote:
>
>> I have a machine with many virtual hosts. Some of the virtual hosts are
>> maintained by clients (we serve as web hosting company) and some are
>> internal.
>> The external accounts are loked out of the main fylesystem using proftpd
>> chroot feature and by having /dev/null as the shell.
>> My problem is that even that way users of the external group can use php's
>> fopen() to open other files. And in a php/mysql enviroment is not hard to
>> find files with database login/password. If i had lots of IP's i could run
>> several copies of apache each one on it's ip and one for each external
>> client, i would run it with the clients group and that way i could lock
each
>> one out of the others account. The problem is that i dont have lots of
ip's,
>> any ideas on how to solve this?
>>
>> Gustavo Felisberto
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>>
>
>
>--
>To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Arild Evensen
-
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: