Page 1 of 1

PHP secuirty issues

PostPosted: 08. August 2004 19:21
by tchamberlain
I have a Windows 2000 Server box running min-xampp, it works like a charm. I have ServU ftp on the machine it limits the user to their home directory and no where else. I have a directory in the mini-xampp folder called users. Our billing system automatically creates the users folder using their 4 digit customer number for the users directory.


So if a user was customer # 1001, then they would be access on our site

http://members.domain.com/~1001/

So far everythings fine, but I have virtual hosts on the box using their folder located under users for when they want to have www.mydomain.com, which works great well. So user 1001 can also be www.mydomain.com using the same folder. Most users just have the free non virtual host setup.

I'm real happy with the setup, but I just realized (duh!) that anyone I give php access to can view anything on the hard drive.

Can I disable PHP on Apache main server (if thats the correct usage) and assign it only to the virtual hosts I want to have it.

Other words I don't want our dialup users who get free web sites to have php, but I do want our virtual host users to have PHP, that limits access to PHP to a very select few.

And/Or

Is there a way to tell PHP not to access anything outside my c:\minixampp\users directory?

I still would want to disable PHP for everyone but the virtual hosts if possible.

Thanks in advance for any help anyone can give, I searched here and found nothing related to this in the english forum areas.

PostPosted: 08. August 2004 19:44
by tchamberlain
Ok I figured out how to restrict it to only virtual hosts and on a per host basis and thought I would post it incase anyone else ever needed this.

I commented out the addtype application/x-httpd-php line in httpd.conf


And copied it to each of the virtual hosts I wanted to have php ability, uncommented ofcourse.

Now all I have to do is figure out how to restirct PHP to a certain directory on the hard driver in my case the main users directory and sub directories.

PostPosted: 08. August 2004 21:30
by Wiedmann
Now all I have to do is figure out how to restirct PHP to a certain directory on the hard driver in my case the main users directory and sub directories.

http://de.php.net/manual/en/features.sa ... en-basedir

PostPosted: 08. August 2004 22:07
by tchamberlain
Thank you so much for that. I was able to add the correct setting per vhost to limit them to that directory and subdirectories below it.

In my example for user 1001 I added this in the vhost area for them

php_admin_value open_basedir "c:/minixampp/user/1001/"


Again thanks and I feel a lot more secure knowing users can not roam the system and read and write anywhere they want to.