Reputation: 2670
How to Restrict PHP's File Access to DOCUMENT_ROOT
Is it possible to restrict PHP's file access to its document root? Basically on my work's server we have our domains in a file structure like:
/home/something/domains/domain1/ /home/something/domains/domain2/ /home/something/domains/domain3/
Right now, any script on domain1 has read and write access to anything in /home/something/domains/ including all of our other domains. I would like to restrict file access for a script in domain1 to only that domain.
The server is hosted with mediatemple and it is their grid service, so I don't have root access or even vhost config access. We can change php.ini, and i know it offers open_basedir, but it doesn't sound like that solves my problem as I could only restrict file access to /domians/ and not the individual domains. Any help appreciated.
What I'm really trying to do:
This server was recently hacked, and the hackers were overwriting domains/.htaccess which affected all our sites. We have tons of sites and many of them have lots of lines of bad code. They uploaded WSO, a hacking backdoor/shell which gave them full access to everything. I don't know how they got access, I guess it was either from the timthumb exploit, one of the millions of lines of bad code, or they just got our FTP password somehow. We updated old timthumbs, changed the password and removed all the bad files we found, but since there is a decent chance whatever exploit they found is still on the server, or that we missed some backdoor, I would at least like to limit their access to the actual domain that contains the exploit or unfound backdoor.
Upvotes: 3
Views: 1556
Answers (1)
Reputation: 11721
My initial thought was to set open_basedir for each of the virtual hosts (even if you have to ask your host admin to do it for you), but I am doubtful that will even work because I am fairly certain external/shell commands that run in PHP/scripts will still work on directories outside of the designated tree.
After more consideration, the closest way to configure your setup and get what you want, that I could think of, would be to set up chroot-jailed user accounts for each vhost and have your webserver use those user accounts through a mechanism like the Apache 2 MPM ITK, which I can only assume your hosting provider will have trouble setting up.
Upvotes: 3
Related Questions
- Restrict Index File In Machine
- Prevent PHP/Apache from access files above site directory
- How to disallow PHP file requests from outside web server on shared hosting
- How to restrict PHP file access to execution directory?
- How to protect directory from being accessed from php?
- Restrict PHP's file system access to a folder
- Protect file in web root but give access from php
- restrict access on file with php in apache
- Restrict PHP access to root folders?
- how to restrict PHP script with file system access?