Reputation: 445
Restrict PHP's file system access to a folder
My scenario: I have a shared hosting account running Apache that I use for personal projects. Now a friend of mine needs a little space to put up a website for his hockey club. I decided to let him run it on my account and to give him an FTP account that limits his access to public_html/hockey.
My question: Is there a way to restrict his PHP scripts (in his hockey folder) in such a way that they couldn't access any files outside the hockey folder? I'm looking for a solution involving something like a configuration in php.ini or .htaccess. Please do not reply to tell me he should try not to access anything outside that folder. I'm trying to improve security against intentional access and accidental security holes in his code.
If you know how to run his content in kind of a sandbox environment, any constructive input is greatly appreciated.
Thanks, Simon
Upvotes: 5
Views: 6050
Answers (3)
Reputation: 56371
NO!
you cant (99%) achieve that with same CPANEL/account.
open_basedir,allowOverride,safe_mode even not enough!
cgi/perl/cron-jobs still unprotected!
you'd better to use Reseller(WHM) Cpanel account, or DirectAdmin(cpanel alternative) Multi-user account.
Upvotes: 0
Reputation: 36
This is perfect.. I get it will be gone in 5.6 but 5.3.x is still going to be prevalent for a long time lets be honest.. too many hosting providers worry too much about losing business by breaking their client's websites ... Several of the clients I've worked with have customers still running on PHP 4.x .. that is extreme neglect ..
They did make a push to force some of them to 5.2 .. which was outdated long before they made the push.. but the fact remains you can't just push your entire client base to a new version.. most of them are not developers and it costs them money, and it translates in loss of money if they cancel because you forced it..
I've adopted the attempt to isolate shared accounts on our systems .. that is why this is useful.. I want to lock down the 5.3-5.5 users the best I can .. so I use php-fcgi .. suexec.. etc.. so enforcing this directive in their vhost seems to be the next best level of isolation!
I have tested this in my virtual lab and it seems to do exactly what I want.. it keeps people from being able to glob() files from /etc and finding our passwd files as well as our other virtual hosts that they might want to brute force...
Upvotes: 0
Reputation: 437376
You can use the open_basedir configuration setting to limit PHP's reach. For example, to set open_basedir per directory in httpd.conf you would write
<Directory /var/www/public_html/hockey>
php_admin_value open_basedir "/var/www/public_html/hockey"
</Directory>
Upvotes: 5
Related Questions
- How to restrict PHP code filesystem operations on shared hosting?
- How to restrict PHP file access to execution directory?
- How to protect directory from being accessed from php?
- Locking down a folder in apache to not allow php or any other server side code (html ONLY)
- Limiting PHP's file access according to logged-in user's access permissions
- Control Access to Filesystem with PHP
- PHP protect a folder
- deny access to certain folder using php
- Restrict PHP access to root folders?
- how to restrict PHP script with file system access?