Re: Many Virtual Hosts security problem with PHP
If you run php in safe mode and set your PHP open_basedir to the
DocumentRoot for the domain, then they cannot open any files outside of
that directory. In php.ini:
safe_mode = on
Then in your <VirtualHost>:
php_admin_flag engine on
php_admin_value open_basedir "/var/www/vhosts/domain.com/htdocs:/tmp"
You may even want to leave off "/tmp" and make each user create a tmp
directory in their own directory, or move the restriction back to
/var/www/vhosts/domain.com so they can use anything inside of their domain
directory. If you do this for every VirtualHost, you shouldn't have to
worry about users reading/writing to each other's files .. if they attempt
to open a file outside of the open_basedir, their script will die out with
an error. There are some other safe_mode variables in the php.ini you
might want to check out too.
You will probably want to restrict cgi-script access, since this is
another way to get around chroot restrictions :)
-Henry
On Sun, 21 Apr 2002, Gustavo Felisberto wrote:
> I have a machine with many virtual hosts. Some of the virtual hosts are
> maintained by clients (we serve as web hosting company) and some are
> internal.
> The external accounts are loked out of the main fylesystem using proftpd
> chroot feature and by having /dev/null as the shell.
> My problem is that even that way users of the external group can use php's
> fopen() to open other files. And in a php/mysql enviroment is not hard to
> find files with database login/password. If i had lots of IP's i could run
> several copies of apache each one on it's ip and one for each external
> client, i would run it with the clients group and that way i could lock each
> one out of the others account. The problem is that i dont have lots of ip's,
> any ideas on how to solve this?
>
> Gustavo Felisberto
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: