PHP open_basedir security for multiple hosts

 
Post new topic   Reply to topic    Aprelium Forum Index -> Tutorials
View previous topic :: View next topic  
Author Message
rrinc
-


Joined: 24 Feb 2006
Posts: 725
Location: Arkansas, USA

PostPosted: Mon Jun 02, 2008 5:16 am    Post subject: PHP open_basedir security for multiple hosts Reply with quote

Open_basedir is a PHP setting used to restrict filesystem access through PHP. It's useful to keep hosts on your server from accessing each other's files. Setting open_basedir in php.ini isn't very useful for virtual hosting since it is a single setting and each host will need to be restricted to a different folder.

To overcome this, when you setup PHP for each host you can add arguments to the PHP interpreter. For each host that you want to secure, set the arguments for the PHP interpreter to this and make sure to set the path to the documents directory for that particular host:
Code:
-d open_basedir=c:/htdocs/host
Replace "c:/htdocs/host" with the path to the documents directory of the host you are working on. If done properly your hosts will now be unable to touch any files outside of their documents directory.

Images:

_________________
-Blake | New Server :D
SaveTheInternet
Soy hispanohablante. Puedes contactarme por mensajes privados.
Back to top View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
AbyssUnderground
-


Joined: 31 Dec 2004
Posts: 3855

PostPosted: Tue Jun 03, 2008 12:04 pm    Post subject: Reply with quote

I should let people know that this is not to be used to stop people hacking into your server through PHP. If you want to stop that you need to edit other php.ini settings besides the base directory. You also need to enable safe mode, edit the upload temp directory and disable other things that the user shouldn't need, including any functions you don't want them to use.

I had to do this because I was hacked through PHP and a virus was planted in my system files and was executed with PHP. Now I run safe mode on hosts that don't need the exec() or shell_exec() commands etc and it can no longer happen.

Just a heads up to anyone who thinks this is a full solution to hackers...
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk
Back to top View user's profile Send private message Visit poster's website
rrinc
-


Joined: 24 Feb 2006
Posts: 725
Location: Arkansas, USA

PostPosted: Tue Jun 03, 2008 6:47 pm    Post subject: Reply with quote

I agree it is not a full solution. Other settings can be added in a similar way without using ini's for each host. I would turn on safe mode in your php.ini then make exceptions for hosts that need it off by adding this:
Code:
-d safe_mode=Off

_________________
-Blake | New Server :D
SaveTheInternet
Soy hispanohablante. Puedes contactarme por mensajes privados.
Back to top View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
AbyssUnderground
-


Joined: 31 Dec 2004
Posts: 3855

PostPosted: Tue Jun 03, 2008 7:02 pm    Post subject: Reply with quote

rrinc wrote:
I agree it is not a full solution. Other settings can be added in a similar way without using ini's for each host. I would turn on safe mode in your php.ini then make exceptions for hosts that need it off by adding this:
Code:
-d safe_mode=Off


You could do that yes but again more options do need to be changed. I have my setup so I have a separate php.ini for host (well, my free hosting doesn't have the limitation, its limited so every user can access every other users free hosting but it was only to save time).
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Tutorials All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group