Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th August 2007, 23:54
edwintenhaaf edwintenhaaf is offline
Junior Member
 
Join Date: Jul 2007
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default security issue using suphp with php filemanager

Hello,

I took me a while to get suphp running on my Strato VPS server with debian Etch but now it's working almost perfect.

I have one 'litle' problem. When using a php filemanager users can browse out of there own webx folder en go into other users folders and read al files, some with passwords in it. like config.php for use with Joomla.

How to solve this. I can't be the only one with this problem ?

Edwin
Reply With Quote
Sponsored Links
  #2  
Old 18th August 2007, 09:03
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,177
Thanks: 829
Thanked 5,414 Times in 4,257 Posts
Default

You can specify a custom php.ini file for suphp in the apache directives field of the website and then set a php open basedir value for the website that prevents file system browsing.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 18th August 2007, 15:24
edwintenhaaf edwintenhaaf is offline
Junior Member
 
Join Date: Jul 2007
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks again for the quick reply

Found the open_base_dir in php.ini and played around with it.
Users are now 'chrooted' to /var/www/ but that's nog the solution you mentioned.

Do i put a copy of the original php.ini in the /var/www/webx folder
edit the openbasedir value
copy the directive PHPIniDir "/var/www/webx " into the apache directive field under that domain in ispconfig ?
Reply With Quote
  #4  
Old 18th August 2007, 22:19
edwintenhaaf edwintenhaaf is offline
Junior Member
 
Join Date: Jul 2007
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
 
Smile Got it working !

the directive to use in apache is:

suPHP_ConfigPath /var/www/webX/etc

create the custom php.ini in /var/www/webX/etc
set permissions to rw-r--r-- 0644 root:root so users cannot remove or edit.
(is it possible to put it in a folder out of the users web dir ?)

Add the follwowing line to this php.ini

[php]
open_basedir =/var/www/webX/

Restart apache

Now users are chrooted to their own folder and even with a PHP filemanager they can't escape

I'm happy, diskquota's are working fine because of suphp and the security is better.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Freebsd 6.1 support misterm Installation/Configuration 10 9th April 2009 09:29
Slightly Confused (DNS & Server Help) JohnnyBGoode Installation/Configuration 26 14th August 2007 09:54
Apache2 Freezes celtic Server Operation 31 28th May 2007 17:18
ubuntu ispconfig joomla .htaccess steve1084 General 8 6th January 2007 15:55


All times are GMT +2. The time now is 08:42.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.