Limit php to users home dir
How can i force php to only access files within the users home directory?
I'm using apache 1.3.x and php v4 and v5 together in cPanel v11 STABLE.
I want this feature so that a user can't install a php file manager and browse the system remotely.
Thank you.
You may want to change the setting for open_basedir in php.ini for both PHP 4 and 5 to try to curb the ability to browse folders outside /home/user.Originally Posted by sehh
Additionally, if security is a concern, you may wish to run SuPHP (now supported in EA3, simply select it on the "Advanced Configuration" screen). You may also consider running Suhosin.
First, let me suggest that you run suPHP if you do not already.
Second, I believe the open_basedir directive is what prevents users from accessing outside of their web root, but I dont understand it fully and there may still be ways around that.
Third, when you build apache, checkmark:
Fileprotect (in EasyApache3)
Prevent Users from reading other webroots (in EA2/EA1)
Mike
Thank you both for your answers, i believe my system is using suexec, as i see the php scripts in the process list starting with "/usr/local/apache/bin/suexec", but i don't know if suexec has its own configuration.
So based on the fact that i'm running suexec, is "open_basedir" enough to stop php scripts from browsing around?
PS:
i'd like to avoid running EasyApache to recompile it, since the current apache binary is running fine without problems for a year or so.
hmm google pointed me to a page in WHM that does just that:
under "Security Center", select option "Tweak php open_basedir Security"
running suexec along with open_basedir tweak, is that enough?
You can never be secure enough. Do everything you can to secure it. You shouldn't look to Cpanel or anybody else to give you a 'thumbs up', seriously. Nobody else can vouch for the security of your system or guarantee that somehow, some way, somebody can't gain access to information across sites, directories, etc.
Suexec/SuPHP, open_basedir, mod_security, making sure Apache is compiled with options mentioned in previous posts, will go a long way.
Add to that disabling ALL shell access, possibly running Suhosin if you are able to do it without breaking all of your sites / module functionality.
Mike
thank you for your suggestions
i don't want to make any major changes, because next week stage 2 will hit the door for STABLE release and i don't want to break anything. Once stage 2 is complete and Apache 2.x is running, i'll go for a custom recompile and remove anything i don't need (like frontpage extensions).
LinkBack URL
About LinkBacks
Reply With Quote