php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #13261 More restrictive File-system access
Submitted: 2001-09-12 05:21 UTC Modified: 2010-12-01 16:06 UTC
From: mike dot hall at opencube dot co dot uk Assigned: jani (profile)
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 4.0.6 OS: Any
Private report: No CVE-ID: None
 [2001-09-12 05:21 UTC] mike dot hall at opencube dot co dot uk
echo `ls /home`;

In a virtual host situation, this is very dangerous. On my own host - as an experiment - I was able to bring back a directory listing of any other site on the same box. I then did an fread() on his database abstraction script and read the passwords for his database. Then I logged into his MySQL database and was free to mess with his site.

It would be EXTREMELY useful to be able to limit the scope of the filesystem functions so they can only read files inside $DOCUMENT_ROOT. Although that wouldn't stop me from typing `cat /home/user/www/database.php`; and getting the same data. This really needs addressing, guys!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-09-12 05:59 UTC] mike dot hall at opencube dot co dot uk
Just to clarify, a method of specifying open_basedir dynamically would be nice. Sorry I didn't make that clear first time.
 [2001-09-12 11:12 UTC] jason@php.net
You can dynamically assign open_basedir by adding "php_admin_value open_basedir /home/user" to every
Apache VirtualHost block.

The ls /home/user issue is a difficult problem to solve
due to the nature of the webserver module. Since the webserver module runs as user nobody, you are forced to open restrictions on users home directories and files to allow apache to read other users' php scripts. 

There are ways you can customize your hosting environment to get around the webserver module problem. 

a. www.freevsd.org
b. Turing on safe_mode and setting the exec dir to point to a set of customized unix commands that lock users into there directory
c. hacking php to your environment

Currently, the best method is compiling php as cgi-bin module, and enabling safe_mode.

I have a project waiting on my todo list that could possibly solve a good majority the virtual hosting 
problems with php. If you are interested in this 
monitor the php-dev mailing list

-Jason


 [2010-12-01 16:06 UTC] jani@php.net
-Status: Analyzed +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: jani
 [2010-12-01 16:06 UTC] jani@php.net
Safe-mode will be gone in future. Tightening open_basedir is now possible since 5.3 something.
 [2010-12-01 16:06 UTC] jani@php.net
-Package: *General Issues +Package: Safe Mode/open_basedir
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Jan 26 15:01:25 2020 UTC