| View previous topic :: View next topic |
| Author |
Message |
rrinc
-
Joined: 24 Feb 2006
Posts: 725
Location: Arkansas, USA
|
 Posted: Mon Jun 02, 2008 5:16 am Post subject: PHP open_basedir security for multiple hosts |
 |
|
Open_basedir is a PHP setting used to restrict filesystem access through PHP. It's useful to keep hosts on your server from accessing each other's files. Setting open_basedir in php.ini isn't very useful for virtual hosting since it is a single setting and each host will need to be restricted to a different folder.
To overcome this, when you setup PHP for each host you can add arguments to the PHP interpreter. For each host that you want to secure, set the arguments for the PHP interpreter to this and make sure to set the path to the documents directory for that particular host: | Code: | | -d open_basedir=c:/htdocs/host |
Replace "c:/htdocs/host" with the path to the documents directory of the host you are working on. If done properly your hosts will now be unable to touch any files outside of their documents directory.
Images:
 
_________________
-Blake | New Server :D
SaveTheInternet
Soy hispanohablante. Puedes contactarme por mensajes privados. |
|
| Back to top |
     |
 |
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Tue Jun 03, 2008 12:04 pm Post subject: |
|
|
I should let people know that this is not to be used to stop people hacking into your server through PHP. If you want to stop that you need to edit other php.ini settings besides the base directory. You also need to enable safe mode, edit the upload temp directory and disable other things that the user shouldn't need, including any functions you don't want them to use.
I had to do this because I was hacked through PHP and a virus was planted in my system files and was executed with PHP. Now I run safe mode on hosts that don't need the exec() or shell_exec() commands etc and it can no longer happen.
Just a heads up to anyone who thinks this is a full solution to hackers...
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
rrinc
-
Joined: 24 Feb 2006
Posts: 725
Location: Arkansas, USA
|
| Posted: Tue Jun 03, 2008 6:47 pm Post subject: |
|
|
I agree it is not a full solution. Other settings can be added in a similar way without using ini's for each host. I would turn on safe mode in your php.ini then make exceptions for hosts that need it off by adding this:
_________________
-Blake | New Server :D
SaveTheInternet
Soy hispanohablante. Puedes contactarme por mensajes privados. |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Tue Jun 03, 2008 7:02 pm Post subject: |
|
|
| rrinc wrote: | | I agree it is not a full solution. Other settings can be added in a similar way without using ini's for each host. I would turn on safe mode in your php.ini then make exceptions for hosts that need it off by adding this: |
You could do that yes but again more options do need to be changed. I have my setup so I have a separate php.ini for host (well, my free hosting doesn't have the limitation, its limited so every user can access every other users free hosting but it was only to save time).
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
|
@abyssws