0

I have an Ubuntu system hosting several websites. The DocumentRoot folder of each website is separate and has a different user. The paths are like this:

/<path_from_root>/websites/websiteA
/<path_from_root>/websites/websiteB

Let's assume that the respective users are userA and userB. Though, the userB doesn't have read access to the folder websiteA, the apache user does have the access. userB can simply write a php file like this in his directory:

<?php
$x=file_get_contents('../websiteA/config.php');
echo $x;
?>

This file will expose the config.php file to the userB. The key issue is that apache needs to have read access to both the folders for running the web services but the userB can exploit this to access userA's files. How to prevent this from happening?

agamagarwal
  • 978
  • 7
  • 17

2 Answers2

2

You can use the php directive open_basedir in your apache or vhost config files for individual settings.

<VirtualHost *:80>
    <Directory /docroot>
        php_admin_value open_basedir /docroot 
    </Directory>
<VirtualHost>

so scripts within this path can not open files outside of it.

Community
  • 1
  • 1
Jango Brain
  • 63
  • 9
0

You might want to look into how Apache and PHP are connected on your machine. If you use the Apache module mod_php, as far as I know all PHP code is executed as the user Apache itself runs as. If you connect PHP with CGI (fcgi, fastcgi or something from that range), you can use suEXEC. With suEXEC, you can set the user that PHP should run as per virtual host.

Henning Kockerbeck
  • 742
  • 7
  • 15