"Dave" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > please hack apart this solution and point out the error/insecure nature of the > setup. > > goal, provide php access to name based virtual hosts on FreeBSD boxes > > problem, security of PHP access to base system and other user scripts > > solution, > > apache compiled with suexec > # set user and group to unique > chown USERID:USERID /path/to/user/html/directory > > # no public access to any files under here that > # you don't want public reading, like scripts > # with database login information in them > chmod -R 0750 /path/to/user/html/directory > > # set group sticky execution... we will run > # apache as this unique group so may not be needed > chmod g+s /path/to/user/html/directory > > >in apache's httpd.conf > # set each virtual host to run any accesses > # as the group USERID giving them only access > # to this directory... defeats PHP directory > # and shell scripts as long as no public read bits > # are set > <virtual *> > ServerName whatever.com > Group USERID > </virtual> > > > Sufficient? > > you end up with http://test1.com and http://test2.com being unable to create PHP > scripts or do listings of any other virtual user directory since they are not of > the same group, but accesses to the site are made by invoking apache as that > group for that session. > > directory tree > drwxr-s--- 2 user1 user1 512 Aug 19 18:23 vtest1 > drwxr-s--- 2 user2 user2 512 Aug 19 18:26 vtest2 > > with directory groups set in the httpd.conf for user1 in vtest1 and user2 in > vtest2, neither user should be able to use PHP filesystem functions to browse > the other directories as long as no public bits are set, and apache server > requests still server the documents from the directories since each users > directory has an Group user1 (or user2) set for his directory in the directory > or virtual container, thus executing the apache requsts as the appropriate user > and not the generic www user. > > > Please feel free to point out any errors in my logic... it appears pretty solid > from here. > > Dave > Have you looked at "open_basedir" in php.ini ? Here's what I do: in php.ini open_basedir = /dev/null in httpd.conf <VirtualHost 192.168.1.10> ServerName whatever.com php_admin_value open_basedir /path/to/website </VirtualHost> Peter -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
