You can also put other directives in <Virtualhost> section, like <Directory> Addtypes for scripting and other file types. Override settings for .htaccess. Other php related settings.(includepath, sendmail from, upload tmp dir,..) errdoc,...
Keep ftp root over www root, gives you a private space to have includefiles, tmp directory, logfiles, maildir, files with password and other sensitive settings outside www root (ftp-root /var/www/virtual/customer1/ www-root /var/www/virtual/customer1/www ) Gives you a strong control over each virtualhost. But it gives you some more administration. Use one file for eache virtualhost and use include /fiele to run all configurationsfile from that directory. And in 2.X versions you can have user directive in each virtualhost, if i recall correct. >===== Original Message From hpknight <[EMAIL PROTECTED]> ===== >If you run php in safe mode and set your PHP open_basedir to the >DocumentRoot for the domain, then they cannot open any files outside of >that directory. In php.ini: > >safe_mode = on > >Then in your <VirtualHost>: > >php_admin_flag engine on >php_admin_value open_basedir "/var/www/vhosts/domain.com/htdocs:/tmp" > >You may even want to leave off "/tmp" and make each user create a tmp >directory in their own directory, or move the restriction back to >/var/www/vhosts/domain.com so they can use anything inside of their domain >directory. If you do this for every VirtualHost, you shouldn't have to >worry about users reading/writing to each other's files .. if they attempt >to open a file outside of the open_basedir, their script will die out with >an error. There are some other safe_mode variables in the php.ini you >might want to check out too. > >You will probably want to restrict cgi-script access, since this is >another way to get around chroot restrictions :) > >-Henry > >On Sun, 21 Apr 2002, Gustavo Felisberto wrote: > >> I have a machine with many virtual hosts. Some of the virtual hosts are >> maintained by clients (we serve as web hosting company) and some are >> internal. >> The external accounts are loked out of the main fylesystem using proftpd >> chroot feature and by having /dev/null as the shell. >> My problem is that even that way users of the external group can use php's >> fopen() to open other files. And in a php/mysql enviroment is not hard to >> find files with database login/password. If i had lots of IP's i could run >> several copies of apache each one on it's ip and one for each external >> client, i would run it with the clients group and that way i could lock each >> one out of the others account. The problem is that i dont have lots of ip's, >> any ideas on how to solve this? >> >> Gustavo Felisberto >> >> >> -- >> To UNSUBSCRIBE, email to [EMAIL PROTECTED] >> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >> > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] - Arild Evensen - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
