ID: 13261
Updated by: jason
Reported By: [EMAIL PROTECTED]
Old Summary: Restricting file system access
Old Status: Open
Status: Analyzed
Bug Type: Feature/Change Request
Operating System: Any
PHP Version: 4.0.6
New Comment:
You can dynamically assign open_basedir by adding "php_admin_value open_basedir
/home/user" to every
Apache VirtualHost block.
The ls /home/user issue is a difficult problem to solve
due to the nature of the webserver module. Since the webserver module runs as user
nobody, you are forced to open restrictions on users home directories and files to
allow apache to read other users' php scripts.
There are ways you can customize your hosting environment to get around the webserver
module problem.
a. www.freevsd.org
b. Turing on safe_mode and setting the exec dir to point to a set of customized unix
commands that lock users into there directory
c. hacking php to your environment
Currently, the best method is compiling php as cgi-bin module, and enabling safe_mode.
I have a project waiting on my todo list that could possibly solve a good majority the
virtual hosting
problems with php. If you are interested in this
monitor the php-dev mailing list
-Jason
Previous Comments:
------------------------------------------------------------------------
[2001-09-12 05:59:37] [EMAIL PROTECTED]
Just to clarify, a method of specifying open_basedir dynamically would be nice. Sorry
I didn't make that clear first time.
------------------------------------------------------------------------
[2001-09-12 05:21:11] [EMAIL PROTECTED]
echo `ls /home`;
In a virtual host situation, this is very dangerous. On my own host - as an experiment
- I was able to bring back a directory listing of any other site on the same box. I
then did an fread() on his database abstraction script and read the passwords for his
database. Then I logged into his MySQL database and was free to mess with his site.
It would be EXTREMELY useful to be able to limit the scope of the filesystem functions
so they can only read files inside $DOCUMENT_ROOT. Although that wouldn't stop me from
typing `cat /home/user/www/database.php`; and getting the same data. This really needs
addressing, guys!
------------------------------------------------------------------------
Edit this bug report at http://bugs.php.net/?id=13261&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]