php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #13261 More restrictive File-system access
Submitted: 2001-09-12 05:21 UTC Modified: 2010-12-01 16:06 UTC
From: mike dot hall at opencube dot co dot uk Assigned: jani (profile)
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 4.0.6 OS: Any
Private report: No CVE-ID: None
View Developer Edit
 [2001-09-12 05:21 UTC] mike dot hall at opencube dot co dot uk 
echo `ls /home`;

In a virtual host situation, this is very dangerous. On my own host - as an experiment - I was able to bring back a directory listing of any other site on the same box. I then did an fread() on his database abstraction script and read the passwords for his database. Then I logged into his MySQL database and was free to mess with his site.

It would be EXTREMELY useful to be able to limit the scope of the filesystem functions so they can only read files inside $DOCUMENT_ROOT. Although that wouldn't stop me from typing `cat /home/user/www/database.php`; and getting the same data. This really needs addressing, guys!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-09-12 05:59 UTC] mike dot hall at opencube dot co dot uk 
Just to clarify, a method of specifying open_basedir dynamically would be nice. Sorry I didn't make that clear first time.
 [2001-09-12 11:12 UTC] jason@php.net 
You can dynamically assign open_basedir by adding "php_admin_value open_basedir /home/user" to every
Apache VirtualHost block.

The ls /home/user issue is a difficult problem to solve
due to the nature of the webserver module. Since the webserver module runs as user nobody, you are forced to open restrictions on users home directories and files to allow apache to read other users' php scripts. 

There are ways you can customize your hosting environment to get around the webserver module problem. 

a. www.freevsd.org
b. Turing on safe_mode and setting the exec dir to point to a set of customized unix commands that lock users into there directory
c. hacking php to your environment

Currently, the best method is compiling php as cgi-bin module, and enabling safe_mode.

I have a project waiting on my todo list that could possibly solve a good majority the virtual hosting 
problems with php. If you are interested in this 
monitor the php-dev mailing list

-Jason
 [2010-12-01 16:06 UTC] jani@php.net
-Status: Analyzed +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: jani
 [2010-12-01 16:06 UTC] jani@php.net 
Safe-mode will be gone in future. Tightening open_basedir is now possible since 5.3 something.
 [2010-12-01 16:06 UTC] jani@php.net
-Package: *General Issues +Package: Safe Mode/open_basedir
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 02 20:01:30 2025 UTC