Navigation

CarbonCopy · #1 17th April 2009, 21:57

I have a directory structure like this:

/www/site1.com/
/www/site2.com/
/www/site3.com/

My FTP is setup so the user is chrooted to their home dir, /home/user with symlinks to the domains they are allowed in, for example:

/home/user1/site1.com -> /www/site1.com
/home/user1/site3.com -> /www/site3.com
/home/user2/site2.com -> /www/site2.com

Now I want it so when PHP scripts execute, user2 cannot access files in user1's folders, and user1 cannot access files in user2's folder

Not even directory listings

So how, in detail would I do this, or is there a guide to do this (Using apache 2.2 and PHP5).

I would prefer not having all my apache files in 1 directory, but I suppose I could give it a try. I only have 1 active site on my server, so some downtime isn't too big of a deal, but I would still rather not do it that way.

Thanks

-Brandon

falko · #2 18th April 2009, 16:00

You can do this with PHP Safe Mode. http://de2.php.net/features.safe-mode

CarbonCopy · #3 18th April 2009, 19:02

I tried that and was still able to get a directory listing of /etc/

Code:

<?php

//define the path as relative
$path = "/etc";

//using the opendir function
$dir_handle = @opendir($path) or die("Unable to open $path");

echo "Directory Listing of $path<br/>";

//running the while loop
while ($file = readdir($dir_handle)) 
{
   echo "<a href='$file'>$file</a><br/>";
}

//closing the directory
closedir($dir_handle);

?>

falko · #4 19th April 2009, 16:27

Then you didn't implement safe mode correctly.

CarbonCopy · #5 19th April 2009, 16:28

phpinfo() tells me safe mode is on, how else should I implement it?

falko · #6 20th April 2009, 11:50

Try something like this:

Code:

php_admin_flag safe_mode On
php_admin_value open_basedir /www/site1.com/
php_admin_value file_uploads 1
php_admin_value upload_tmp_dir /www/site1.com/phptmp/
php_admin_value session.save_path /www/site1.com/phptmp/