user5747873
Reputation: 379
Ubuntu - Prevent Linux/Apache users from listing anything but their home directory with PHP
Long story short, I'm in the early stages of building a small web hosting server. When I create a new site for a customer this happens:
- A new Linux user is created with a home directory and /sbin/nologin
- The user is added to group sftpusers
- A public_html is created in the users home directory
- A new Apache Vhost is created
- The site is started and the process is running as the new Linux user using mpm-itk and AssignUserId
All well so far. The user can only sftp in to the home directory and put his files there. The user can't navigate outside the home directory when using a SFTP client like WinSCP or similar.
The problem is that they can list stuff outside the home dir with a bit of php. This will list everything in /etc/:
$scan = scandir(/etc);
foreach ($scan as $i) {
echo $i;
}
This is my problem and it needs to be dealt with, but I don't really know how.
My /etc/ssh/sshd_config:
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no
Please let me know if additional information is needed.
Upvotes: 0
Views: 54
Answers (1)
Related Questions
- how to allow for Apache to read/write to user home directory?
- Avoiding the users to be able to see a directory in php
- Stop directory listing without .htaccess in a PHP website
- How do I disable listing of directories in Apache?
- How to prevent directory browsing?
- Avoid Directory listing in a shared server
- How to use Apache/PHP to protect directories from users that aren't logged in
- Prevent directory listing and files for specific user
- How to only show server directory list to a certain user in PHP?
- How to stop Apache from listing the contents of my user directories