Re: Re: Secure File Paths, File System - (simplified question)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Shawn McKenzie wrote:

Daniel Kolbo wrote:

Hello PHPers,

I am quite ignorant about file system security.   I was hoping you all
could help me understand things.

How does one restrict php script from going (reading, writing) files in
the file system?
As I see it, a php programmer could change the include_path, with
ini_set(), use "../" etc..., and browse all the files on the server to
which the php engine has access.  This would clearly not be acceptable
to a web host company, so how do most hosts restrict this kind of
behaviour?

Now, suppose i only have php access to my 'files' as defined by my host
somehow.  (again, my first part of the question is how do they do
this?).  Is it possible for me to further restrict this file
accessibility for different sub-folders?  Let me provide an example
folder hierarchy and user scenario.
Suppose there are two php programmers (me and you).  I want full access,
but I want to restrict you to your subdomain (subdomain2).

+AllUsers (me and you)
+Domain1
++Subdomain1 (me only)
++Subdomain2 (me and you)
++SharedDomain (me and you)
+ServerFile1 (me only)
+ServerFile2 (me only)
+SecretFile (no user)

Thanks for helping understand how to restrict/limit different php
programmers from going into places I'd rather them not go.
dK



Two methods come to mind, chroot and just setting perms for specific dirs.



Hello,
1) chroot
I don't understand how to specify to the php engine to chroot upon different scripts being executed (scripts that i don't control). Would you please clarify? 
2)perms
The php engine is what has access to specific dirs (not users, scripts,). That i know of, the php engine doesn't allow per user permissions. That is, it is one engine, one set of perms. Are you suggesting i have a separate php engine for each user?
3) Maybe i can simplify this question: How does a hosting company, in a shared virtual host server environment, prevent all their clients (php programmers) from snooping into all the other clients' folders? I am assuming we are all using the same php engine, as it is a shared apache host.
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux