If you run php in safe mode and set your PHP open_basedir to the DocumentRoot for the domain, then they cannot open any files outside of that directory. In php.ini:
safe_mode = on Then in your <VirtualHost>: php_admin_flag engine on php_admin_value open_basedir "/var/www/vhosts/domain.com/htdocs:/tmp" You may even want to leave off "/tmp" and make each user create a tmp directory in their own directory, or move the restriction back to /var/www/vhosts/domain.com so they can use anything inside of their domain directory. If you do this for every VirtualHost, you shouldn't have to worry about users reading/writing to each other's files .. if they attempt to open a file outside of the open_basedir, their script will die out with an error. There are some other safe_mode variables in the php.ini you might want to check out too. You will probably want to restrict cgi-script access, since this is another way to get around chroot restrictions :) -Henry On Sun, 21 Apr 2002, Gustavo Felisberto wrote: > I have a machine with many virtual hosts. Some of the virtual hosts are > maintained by clients (we serve as web hosting company) and some are > internal. > The external accounts are loked out of the main fylesystem using proftpd > chroot feature and by having /dev/null as the shell. > My problem is that even that way users of the external group can use php's > fopen() to open other files. And in a php/mysql enviroment is not hard to > find files with database login/password. If i had lots of IP's i could run > several copies of apache each one on it's ip and one for each external > client, i would run it with the clients group and that way i could lock each > one out of the others account. The problem is that i dont have lots of ip's, > any ideas on how to solve this? > > Gustavo Felisberto > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
