php user file access

Discussion in 'Server Operation' started by MisterVlad, Nov 23, 2007.

  1. MisterVlad

    MisterVlad New Member

    Ok, I am stumped. I have tried everything. I am trying to limit users access to other people files on the server.

    I have tried everything i can think of... i have suPHP running at the moment, and it is 1/2 right... the issue i was having, was if I was uploading a file though php, it was taking the apache default user's id and gid. now that is solved, but the user can still get access to the complete server files... meaning userA can access userB's files.

    I have gone as far now, to create the users (which i had done previous) and giving them their own group (instead of using the same group for all users).

    now userA has a gid of userA and userB, userB. Still, complete access.

    How can i limit userA to only be able to access userA files, but still be able to upload through php/html and preserve their uid and gid on that file?

    I am so stumped, and so frusterated that I can't think. I personally dont want to go to ispConfig (even though it is a great program), becuase it is too much for what I need. I have ProFTPD-Mysql, php5, Postfix-with-mysql-email on the server, which is pretty much all i need, as i manage my dns through a separate provider.

    Can someone please help? or at least point me in the right direction? All i want is a little php user security....

  2. falko

    falko Super Moderator ISPConfig Developer

    Do you mean on the shell, or through some PHP script or something like that?
  3. MisterVlad

    MisterVlad New Member

    through the script.

    for example, this is the directory:
    now, if userA had this in index.php script:
    if would show everything in userB's index.php file...
    How would I stop userA from reading userB's files, or worse, the root files?

    as another example, the users are:
    UID           GID
    userA(2001) userA(2001)
    userB(2002) userB(2002)
    when safemode is off in the php.ini, the users cannot read each others files, it comes up with permission errors, but if the user tried to upload a file through html, and move it into their own directory, it takes on the UID and GID listed in the php.ini file, which is www-data(33)/(33), and then that user cannot do anything else with that upload.

    Maybe I am over thinking something, and making it seem too complicated, but is there a way to make it so that any files that are created in that user's sub-directories, that they automatically take on the UID and GID (or at least the GID) of the owner of that directory, so that the script can read or write or delete that file if they so choose too?

    This has just got me stumped, and I am sure that there is an easy solution, I just can't think of what it is at this moment in time.

  4. falko

    falko Super Moderator ISPConfig Developer

    Normally PHP Safe Mode is the solution to the problem.

    Can you post your vhost configuration?
  5. MisterVlad

    MisterVlad New Member

    Every website that I host, has their own file called:
    theirdomain_tld.conf, and they all have the same settings within their conf file:
    <VirtualHost *>
    	ServerName theirdomain.mydomain.tld
    	ServerAlias theirdomain.tld
    	ServerAlias www.theirdomain.tld
    	ServerAdmin [email protected]
    	DocumentRoot /www/theirdomain_tld/public_html/
    	ErrorLog /www/theirdomain_tld/www_logs/error.log
    	# Possible values include: debug, info, notice, warn, error, crit,
    	# alert, emerg.
    	LogLevel warn
    	CustomLog /www/theirdomain_tld/www_logs/access.log combined
    	ServerSignature On
    /www is my SCSI device B partition 1, which houses all my web files, and is quota'd by user. Every domain that I host, gets a username and group as their domain name within the system, that has no shell login, but when created, get their directory created from the /etc/skel and get assigned 100mb of disk space, and also gets a mysql user created, and a FTP account as well. I have to manually add the apache conf file within the /etc/apache2/sites-enabled/ directory. (just thought I would try and explain my system a little better to maybe get my problem resolved)

    Is there something that I am missing within this file? or could there be a more efficient way to do this?

    Last edited: Nov 25, 2007
  6. MisterVlad

    MisterVlad New Member

    I just read something... a2ensite, which adds to the /etc/hosts file... what does this do? does this need to be done? I have never done this :confused:

    I am doing more searching now to figure out what in fact this does...
  7. falko

    falko Super Moderator ISPConfig Developer

    You don't need a2ensite.

    I don't see anything suPHP-related in the vhost configuration...

Share This Page