Hi I've came across on this problem, I have a sever running apache and php. We have many virtual hosts but we've noticed that a potentially malicious user could use his web space to browse other user's files(via a simple php script) and even system files, this could happens due to the php permissions. A way to avoid it is to set the open_basedir var in php.ini, yhis is very simple in a single host system, but in case of virtual hosts there would be a basebir per each host.

Ho can I set dis basedir per each user/host? is there a way to let apache hereditate php privileges of the php file that has been requested

E.G. /home/X_USER/index.php has as owner X_USER, when apache read the file index.php it checks its path and owner, simply I'm looking for a system set php basedir variable to that path.

Thank in advance Lopoc

Accepted Answer

It is possible to set open_basedir on a per-directory basis using the php_admin_value Apache directive.

Example from the manual:

<Directory /docroot>
  php_admin_value open_basedir /docroot 
</Directory>

Re your comment: yes, external commands are not affected by open_basedir - when calling ls / this is done with the rights the user account PHP runs under (often named www or similar). As far as I know, it is not possible to extend open_basedir to external commands.

In that case, I don't think the kind of protection that you're looking for is possible in a normal Apache/PHP setup. The only thing that maybe comes close is running Apache in a chroot jail. I haven't done this myself so I can't say anything about it - you'd have to dig in and maybe ask a question specifically about that.

Written by Pekka
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki