Hi I've came across on this problem, I have a sever running apache and php. We have many virtual hosts but we've noticed that a potentially malicious user could use his web space to browse other user's files(via a simple php script) and even system files, this could happens due to the php permissions. A way to avoid it is to set the open_basedir var in php.ini, yhis is very simple in a single host system, but in case of virtual hosts there would be a basebir per each host.
Ho can I set dis basedir per each user/host? is there a way to let apache hereditate php privileges of the php file that has been requested
E.G. /home/X_USER/index.php has as owner X_USER, when apache read the file index.php it checks its path and owner, simply I'm looking for a system set php basedir variable to that path.
Thank in advance Lopoc
It is possible to set
open_basedir on a per-directory basis using the
php_admin_value Apache directive.
Example from the manual:
<Directory /docroot> php_admin_value open_basedir /docroot </Directory>
Re your comment: yes, external commands are not affected by
open_basedir - when calling
ls / this is done with the rights the user account PHP runs under (often named
www or similar). As far as I know, it is not possible to extend
open_basedir to external commands.
In that case, I don't think the kind of protection that you're looking for is possible in a normal Apache/PHP setup. The only thing that maybe comes close is running Apache in a chroot jail. I haven't done this myself so I can't say anything about it - you'd have to dig in and maybe ask a question specifically about that.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki