Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 30th December 2006, 12:31
alexillsley alexillsley is offline
Senior Member
 
Join Date: Dec 2006
Posts: 396
Thanks: 27
Thanked 4 Times in 4 Posts
Exclamation PHP Security

Hi,
If you have a user with site that has php access and they upload a php file manager onto it, they can see your whole hard drive Is there anyway to restrict a users php scripts from seeing above of there sites folder
thanks,
Alex
Reply With Quote
Sponsored Links
  #2  
Old 30th December 2006, 12:34
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,202
Thanks: 829
Thanked 5,420 Times in 4,262 Posts
Default

Yes, enable the PHP safemode checkbox for this site.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 30th December 2006, 12:39
alexillsley alexillsley is offline
Senior Member
 
Join Date: Dec 2006
Posts: 396
Thanks: 27
Thanked 4 Times in 4 Posts
Default

YAY THANKS that script just gives a load of errors now
Reply With Quote
  #4  
Old 31st December 2006, 16:08
Craig Craig is offline
Member
 
Join Date: Dec 2006
Posts: 56
Thanks: 1
Thanked 3 Times in 1 Post
Default

safemode PHP is a very powerful tool for the ISP!

You should definitely turn it on for every site that is not actually yours, i.e. all your client sites that you do not control directly.

It is similar to creating separate "sand boxes" on the MySQL server for the different clients. It makes it so that they can't see or touch each other.
Reply With Quote
  #5  
Old 31st December 2006, 16:10
alexillsley alexillsley is offline
Senior Member
 
Join Date: Dec 2006
Posts: 396
Thanks: 27
Thanked 4 Times in 4 Posts
Default

Safe Mode appears to be a little to safe, on safe mode phpbb forums will not work

Quote:
Warning: include(): SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to access ./extension.inc owned by uid 10008 in /srv/www/web5/web/forum/index.php on line 25 Warning: include(./extension.inc): failed to open stream: Success in /srv/www/web5/web/forum/index.php on line 25 Warning: include(): Failed opening './extension.inc' for inclusion (include_path='.:/usr/share/php5:/usr/share/php5/PEAR') in /srv/www/web5/web/forum/index.php on line 25 Notice: Undefined variable: phpEx in /srv/www/web5/web/forum/index.php on line 26 Warning: include(): Unable to access ./common. in /srv/www/web5/web/forum/index.php on line 26 Warning: include(./common.): failed to open stream: No such file or directory in /srv/www/web5/web/forum/index.php on line 26 Warning: include(): Failed opening './common.' for inclusion (include_path='.:/usr/share/php5:/usr/share/php5/PEAR') in /srv/www/web5/web/forum/index.php on line 26 Fatal error: Call to undefined function session_pagestart() in /srv/www/web5/web/forum/index.php on line 31
any ideas how can i let phpbb work
Thanks,
Alex

Last edited by alexillsley; 31st December 2006 at 16:13.
Reply With Quote
  #6  
Old 31st December 2006, 16:13
Craig Craig is offline
Member
 
Join Date: Dec 2006
Posts: 56
Thanks: 1
Thanked 3 Times in 1 Post
Default

What errors are you getting in phpBB? Can you copy and paste them here? Although I don't use phpBB, I use punBB, I haven't had any problems in safemode so maybe I can help you by comparing configurations or something.

In any event, it should work although it may take a little tweaking.
Reply With Quote
  #7  
Old 31st December 2006, 16:14
alexillsley alexillsley is offline
Senior Member
 
Join Date: Dec 2006
Posts: 396
Thanks: 27
Thanked 4 Times in 4 Posts
Default

I just edited the post as you said that ...
Reply With Quote
  #8  
Old 31st December 2006, 16:22
Craig Craig is offline
Member
 
Join Date: Dec 2006
Posts: 56
Thanks: 1
Thanked 3 Times in 1 Post
Default

I almost heard you typing!

I'm not exactly sure what is going wrong for you but since safemode will prevent scripts from accessing files above their location, I think, my guess is that some of the the files on the include list are outside of your client site's directories and so off limits.

One thing that suggests that is this error specifically,
Code:
include_path='.:/usr/share/php5:/usr/share/php5/PEAR'
If I were to guess that that is outside of your client directory, would I be correct because I think that is where you problem with safemode might be.

I guess it would help to know your directory structure, where the client scripts are, what scripts and where, if any, those scripts are trying to access etc.

One way or another, you defnitely need to get safemode working because it is the only way to prevent a given clien't scripts from doing possible damage outside of their client area.

[EDIT] There is this info at phpbb's site that is basically says that safemode should work although it does have a little additional info. May be useful to take a look. http://www.phpbb.com/support/documen...stall#safemode

Last edited by Craig; 31st December 2006 at 16:31.
Reply With Quote
  #9  
Old 31st December 2006, 16:31
alexillsley alexillsley is offline
Senior Member
 
Join Date: Dec 2006
Posts: 396
Thanks: 27
Thanked 4 Times in 4 Posts
Arrow

Thanks the forum is currently stored under /srv/www/web5/web/forum/index.php but it doesnt really matter as i am the client and i own the server so i can trust myself but i was think if i let other people use it, they are very likley to want have a forum on it..
Reply With Quote
  #10  
Old 31st December 2006, 16:34
Craig Craig is offline
Member
 
Join Date: Dec 2006
Posts: 56
Thanks: 1
Thanked 3 Times in 1 Post
 
Default

Exactly. So, you have two choices, get safe mode working, which phpbb says it should work, or have to trust anyone you give PHP access to with your entire server.

[EDIT : Ok, so /srv/www/web5/web/forum/index.php is trying to set /usr/share/php5:/usr/share/php5/PEAR as it's path, which is definitely outside of the "client's" access area so the next question is what is in /usr/share/php5 and/or /usr/share/php5/PEAR that phpbb needs.

There should be some reference to it in /srv/www/web5/web/forum/index.php so there should be som way to figure out what it needs from there and maybe do something about that. Maybe.

Last edited by Craig; 31st December 2006 at 16:38.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Freebsd 6.1 support misterm Installation/Configuration 10 9th April 2009 09:29
Slightly Confused (DNS & Server Help) JohnnyBGoode Installation/Configuration 26 14th August 2007 09:54
VirtualHosts marra87 General 9 12th September 2006 04:09
Downgrade php5 to php4.4.2 llizards Installation/Configuration 4 13th March 2006 23:58
all my site go to /var/www/ Absolusteph Installation/Configuration 14 11th March 2006 21:27


All times are GMT +2. The time now is 12:36.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.