Running php as cgi would still involve unique uid's, and I've got about 30k+ virtual users. -----Ursprungligt meddelande----- Från: jslive@xxxxxxxxx [mailto:jslive@xxxxxxxxx] För Joshua Slive Skickat: den 29 maj 2006 22:47 Till: users@xxxxxxxxxxxxxxxx Ämne: Re: [users@httpd] Running vhosts with php and virtual users On 5/29/06, Mattias Segerdahl <mattias.segerdahl@xxxxxxxxx> wrote: > I'm experiencing difficulties using apache in the following > environment. Is there any good solution that would solve the security problems? > > Server version: Apache/2.2.2 > Server built: May 14 2006 18:14:53 > PHP 5.1.4 (cli) (built: May 5 2006 19:14:55) > > Virtual users are stored under /home/web/domain.tld/username where > users have access to their directory using a ftpd with virtual > accounts. All files and directories are owned by a single system uid/gid. > > Now, using this setup, users can access files and directories outside > their own home using php, this is something that I really need to > prevent. I'd like to chroot/jail them to their own directory. I could > run a config parser and set up <Directory> settings for each users > having php_admin_value set for open_basedir. But that seems to be a bit much. > > Is there any other way to approach this problem? There is no simple answer to this problem. If you trust open_basedir, then that is the easiest solution. Otherwise, the solutions involve running php as a cgi script under suexec or similar program, or running multiple apache instances with a proxy in front to dispatch to the correct instance. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
|