PHP - a different open_basedir per each virtual host

给你一囗甜甜゛ 提交于 2019-11-27 04:33:41

问题


I've came across on this problem, I have a sever running apache and php. We have many virtual hosts but we've noticed that a potentially malicious user could use his web space to browse other user's files(via a simple php script) and even system files, this could happens due to the php permissions. A way to avoid it is to set the open_basedir var in php.ini, yhis is very simple in a single host system, but in case of virtual hosts there would be a basebir per each host.

Ho can I set dis basedir per each user/host? is there a way to let apache hereditate php privileges of the php file that has been requested

E.G. /home/X_USER/index.php has as owner X_USER, when apache read the file index.php it checks its path and owner, simply I'm looking for a system set php basedir variable to that path.

Thank in advance Lopoc


回答1:


It is possible to set open_basedir on a per-directory basis using the php_admin_value Apache directive.

Example from the manual:

<Directory /docroot>
  php_admin_value open_basedir /docroot 
</Directory>

Re your comment: yes, external commands are not affected by open_basedir - when calling ls / this is done with the rights the user account PHP runs under (often named www or similar). As far as I know, it is not possible to extend open_basedir to external commands.

In that case, I don't think the kind of protection that you're looking for is possible in a normal Apache/PHP setup. The only thing that maybe comes close is running Apache in a chroot jail. I haven't done this myself so I can't say anything about it - you'd have to dig in and maybe ask a question specifically about that.




回答2:


You can set many php.ini settings using the Apache configuration file.

See these related pages from the PHP manual: - http://php.net/manual/en/configuration.changes.php - http://www.php.net/manual/en/ini.core.php#ini.sect.path-directory - http://www.php.net/manual/en/configuration.changes.modes.php




回答3:


chroot is a good idea. And now docker is more effective.

and open_basedir with "/docroot" is not security ,you should end with a "/" or PHP can access /docroot1



来源:https://stackoverflow.com/questions/2781185/php-a-different-open-basedir-per-each-virtual-host

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!