PHP lock access to previous folders

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
micdhack
Forum Newbie
Posts: 3
Joined: Sun Nov 09, 2008 3:39 pm

PHP lock access to previous folders

Post by micdhack »

I have a web server and i would like to give people access to specific ftp folders. I want to give the users the opportunity to use php as well.
Since php has some commands like exec, fopen, include i am afraid that maybe users will try to "hack" the server by accessing previous directories than the ones assigned to them.
For example they can create a php script that open a file in ../bla bla or worse exec("rm -r ../*") which may result in deleting all other users directories if the structure is "/ftp/<userdir>".
I dont want to disable commands such as exec and other cause i have php scripts and i need them.
So is there a way that php can be locked and the root directory will be locked to each user's directory?
Note that these scripts will be executed from apache and not from ssh, so probably user and group owner for all directories that users will have will be the same.
thanks in advance
User avatar
veridicus
Forum Commoner
Posts: 86
Joined: Fri Feb 23, 2007 9:16 am

Re: PHP lock access to previous folders

Post by veridicus »

I think you might want to turn on safe mode per user. This is possible with apache/php by adding php config settings to the .htaccess file in each user directory. For example,

Code: Select all

php_value safe_mode 1
added to an .htaccess file will turn on safe mode for PHP scripts executed in that directory and any subdirectories.

That would allow you to still leave exec and other unsafe things for yourself on the same server.
micdhack
Forum Newbie
Posts: 3
Joined: Sun Nov 09, 2008 3:39 pm

Re: PHP lock access to previous folders

Post by micdhack »

I have thought about using safe mode but its not a good option since as i read here
http://cz.php.net/features.safe-mode
They going to remove it in the 6th version and also most of its function are restricted by "Checking whether the directory in which the script is operating has the same UID (owner) as the script that is being executed".
Which unfortunately on my case means that i will have a problem since all files and directories that users will have, have the same UID(only the ftp login directory and login information is different). The reason is that i want to give the users the option to edit files via web interface also so instead of creating 1000 different users in the system i will have one for their directories. I dont know if these is manageable though.
Im short of ideas so what other options do i have? How do you believe it would be best accomplished?
micdhack
Forum Newbie
Posts: 3
Joined: Sun Nov 09, 2008 3:39 pm

Re: PHP lock access to previous folders

Post by micdhack »

I did some research and found out that there are some solutions such as mpm-itk, and fastcgi and suexec that can be installed and provide security on an apache level but there is some performance cost as well as tuning for its individual vhost you create which may result in other problems.
On a php level i saw that there is a command that would be supported on 6 version. open_basedir supposedly locks your directory so php thinks that the root directory is the one that you specified(can read forward folders but cant go backwards). Its exactly what i wanted although in 6th version they changed how you specify it. In 5 its on .htaccess but in the new version will be in httpd.conf and php.ini.
What i would like to ask is, is it possible for me to have multiple php.ini for each web location?
Post Reply