Edit report at http://bugs.php.net/bug.php?id=13261&edit=1
ID: 13261 Updated by: [email protected] Reported by: mike dot hall at opencube dot co dot uk Summary: More restrictive File-system access -Status: Analyzed +Status: Closed Type: Feature/Change Request -Package: Feature/Change Request +Package: *General Issues Operating System: Any PHP Version: 4.0.6 -Assigned To: +Assigned To: jani Block user comment: N Private report: N New Comment: Safe-mode will be gone in future. Tightening open_basedir is now possible since 5.3 something. Previous Comments: ------------------------------------------------------------------------ [2001-09-12 11:12:27] [email protected] You can dynamically assign open_basedir by adding "php_admin_value open_basedir /home/user" to every Apache VirtualHost block. The ls /home/user issue is a difficult problem to solve due to the nature of the webserver module. Since the webserver module runs as user nobody, you are forced to open restrictions on users home directories and files to allow apache to read other users' php scripts. There are ways you can customize your hosting environment to get around the webserver module problem. a. www.freevsd.org b. Turing on safe_mode and setting the exec dir to point to a set of customized unix commands that lock users into there directory c. hacking php to your environment Currently, the best method is compiling php as cgi-bin module, and enabling safe_mode. I have a project waiting on my todo list that could possibly solve a good majority the virtual hosting problems with php. If you are interested in this monitor the php-dev mailing list -Jason ------------------------------------------------------------------------ [2001-09-12 05:59:37] mike dot hall at opencube dot co dot uk Just to clarify, a method of specifying open_basedir dynamically would be nice. Sorry I didn't make that clear first time. ------------------------------------------------------------------------ [2001-09-12 05:21:11] mike dot hall at opencube dot co dot uk echo `ls /home`; In a virtual host situation, this is very dangerous. On my own host - as an experiment - I was able to bring back a directory listing of any other site on the same box. I then did an fread() on his database abstraction script and read the passwords for his database. Then I logged into his MySQL database and was free to mess with his site. It would be EXTREMELY useful to be able to limit the scope of the filesystem functions so they can only read files inside $DOCUMENT_ROOT. Although that wouldn't stop me from typing `cat /home/user/www/database.php`; and getting the same data. This really needs addressing, guys! ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=13261&edit=1
