On Sat, Jun 30, 2007 at 05:51:22PM +0200, Matt wrote: > >You don't want user 1's web applications to be able to access data in user > >2's web application storage space. > I will only be using mod_php. In the past, without the user shell > accounts, this has worked rather well for me in combination with the > "open_base_dir" directive in the VirtualHost. > This binds PHP's abilities to the specified directory (or directories) > for that specific virtual host. > > Am I overlooking something with that setup? > I get the impression from your reply this might be rather unsafe?
I'm no PHP expert. If you're sure the PHP interpreter will restrict your users' accounts to their own directory, then good. But note: - you must trust it to enforce this in all possible circumstances (rather obviously, for example, your users' PHP scripts must not be able to fork/exec any external program or script which could have been written by the user, nor load any untrusted C extensions, nor modify the environment for external programs); - you must trust both the PHP interpreter and the web server not to have any remotely-exploitable holes, since anyone who breaks in as the web server user will have read *and* write access to everyone's data files; - you must be sure that as well as locking everything down, you've not inadvertently left any way for users to change the restrictions (e.g. in .htaccess) Now, finding documentation for this feature was hard. It appears that it's actually called "open_basedir", not "open_base_dir". See http://www.php.net/manual/en/features.safe-mode.php It looks like every single library function in PHP which opens files must validate this setting. Given PHP's security track record, I'm not sure I'd bet my business on it. You'll also need to take care with file permissions, given that you're now giving shell accounts to each user with their own uids. Each user will need to have read/write access on their own files of course, and grant read/write access to the webserver's gid, but without being members of the webserver group themselves (otherwise they'd be able to read/write all the other users' files). You may be able to achieve this by suitable checks on the top-level directory, and making files world-writable inside (ergh). Otherwise, welcome to sticky-bit city :-) Regards, Brian.
