Limitting one folder/website from accessing another

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
User avatar
Trenchant
Forum Contributor
Posts: 291
Joined: Mon Nov 29, 2004 6:04 pm
Location: Web Dummy IS

Limitting one folder/website from accessing another

Post by Trenchant »

I have constructed a control pannel for the local webhosting I will be selling soon but I have noticed a major bug. The script I'm using could easily be replicated by any of my clients meaning they have full access to my server....


I'm running apache and below is a setup of my dirrectories:

C:/AppServ/ Root AppServ Folder
/www/ Public section(changed in apache to be limitted access)
/hosting/ Main hosting section
/$client/ Clients root dirrectory
/www/ Clients public dirrectory
/private/ Clients private dirrectory
/folder/
/serverpro/ My Control Panels folder

I need to limit my clients access between folders. So one client can't edit anything below their $client folder
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

If you look at http://php.net/features.safe-mode and in particular the open_base directive then that should point the way. I've never needed/used safe mode myself so the implementation details are beyond me.
User avatar
Trenchant
Forum Contributor
Posts: 291
Joined: Mon Nov 29, 2004 6:04 pm
Location: Web Dummy IS

Post by Trenchant »

I would rather keep safe-mode off for my users if I could though. I believe in giving clients as much as I can for their dollar and from my own past experiences I have found safe-mode annoying.

Is there a specific apache mode that can be applied? each client does have their own virtual host section. Couldn't I change the allow/deny properties to restrict access to a "sub root" folder?
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

iirc open_basedir is not just restricted to safe mode. So you can still use it to restrict clients to their own dir without having to use safe mode.
http://php.net/ini_set has more info
User avatar
Trenchant
Forum Contributor
Posts: 291
Joined: Mon Nov 29, 2004 6:04 pm
Location: Web Dummy IS

Post by Trenchant »

Okay thanks, I'll look into that.

Edit:

Just for anyone in the future who may need this information

open_basedir string

Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.

When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink.

The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir().

In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with "php_admin_value open_basedir none".

Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.

The restriction specified with open_basedir is actually a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "open_basedir = /dir/incl/"

Note: Support for multiple directories was added in 3.0.7.

The default is to allow all files to be opened.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

You can also bypass any basedir restriction with curl, so might wanna disable that.
Post Reply