Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
I have a problem where users are allowed to upload and execute PHP files to their own directories but there is nothing to stop them from accessing other users directories.
The website directory structure is like this:
public_html/
public_html/user1/
public_html/user2/
So the corresponding domain structure is:
domain.com
domain.com/user1/
domain.com/user2/
User1 can only upload/delete files in the directory user1, but there really is nothing to stop him from uploading a PHP file that can access files in the user2 directory. Suppose user2 has a php file that connects to a database, user1 could read the file and get the database username and password. Or user1 could simply go and delete all of user2's files. Not good.
If I could restrict the PHP files in public_html/user1/ from only accessing files in public_html/user1/ and lower that would solve all my problems.
I have a few thousand users using this system if that makes a difference, windows box unfortunately.
Thanks.
5 replies to this topic
Back to top|
|
|
#2
Posted 18 August 2010 - 08:11 AM
beardedlinuxgeek
-
- Members
-
- 4 posts
Newbie
Would it be possible to accomplish this with Open_basedir?
There is only one apache host, each "site" is not its own apache site.
There is only one apache host, each "site" is not its own apache site.
#3
Posted 18 August 2010 - 09:30 AM
Alexander
-
- Moderators
-
- 4,124 posts
It's Science!
Yes, you can accomplish this by applying open_basedir on each Apache virtual host configuration an example being:
php_admin_value open_basedir C:\public_html\user1:C:\PEAR\includes\ php_admin_value safe_mode_include_dir C:\PEAR\includes\
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
#4
Posted 18 August 2010 - 12:54 PM
beardedlinuxgeek
-
- Members
-
- 4 posts
Newbie
Thanks for you reply, but I did comment saying that there was only one apache host.
Does this mean I will need to create a virtual host for each user? Is it possible to add virtual hosts without restarting the server?
Does this mean I will need to create a virtual host for each user? Is it possible to add virtual hosts without restarting the server?
#5
Posted 18 August 2010 - 01:29 PM
Orjan
-
- Moderators
-
- 3,299 posts
Writes binary right handed and hex left handed
The easies way in all ways is to limit the users by your software to only access these folders. then turn off php and other scripts in these directories... or is this gonna be some homepages?
__________________________________________
I study Information Systems at Karlstad University when I'm not on CodeCall
I study Information Systems at Karlstad University when I'm not on CodeCall
#6
Posted 18 August 2010 - 01:47 PM
beardedlinuxgeek
-
- Members
-
- 4 posts
Newbie
Whats going on is each user has a PHP based blog installed in their own directory. The thing is, they could write a plugin for their blog, which does damage to other users blogs.
