SECRUTIY issue with Virtual hosting with Proftpd & Mysql

[snowfly]

Hi all,

I'm also running a server with virtual hosting, based on the tutorial using proftpd and mysql: http://www.howtoforge.com/proftpd_mysql_virtual_hosting

I got it all running fine, multiple uses, and all are kept securely jailed in their home directories when the ftp connect in. So they can only upload/download/view files in their home dir.

However I came across a big security issue.
As all the files/dirs that created by these virtual ftp users are owned by the system user:
User: ftpuser
Group: ftpgroup
Then any user can create a small PHP script, which can traverse the directories of other users and read their files!!

Here's an example, 2 virtual users have these homedirs:
In /home:

Code:

drwxr-sr-x   3 ftpuser ftpgroup 4096 Jun 27 12:46 user1
drwxr-sr-x   3 ftpuser ftpgroup 4096 Jul  1 19:28 user2

So user1 has all their files in /home/user1/
and user2 in /home/user2

And as you can see both are owned by the ftpuser.ftpgroup.

If user1 was to write a small php script, called test.php, in /home/user1/test.php, like this:

PHP Code:

$dir = "../"
if ($handle = opendir($dir)) {
   while (false !== ($file = readdir($handle))) {
       if ($file != "." && $file != "..") {
           echo "$file<br>";
       }
   }
   closedir($handle);
} 


It would result in these dirs being displayed:
user1
user2

And if the changed $dir to be: "../user2/", they could view all files under user2's directory.

Basically cause everything is owned by the same system user/group.

How can I get around this, as its pretty insecure, especially if one of my users happens to be a PHP developer, and decides to write some code to see what the can do on the system...

Thanks, Mike.