chroot for php

Discussion in 'Server Operation' started by CarbonCopy, Apr 17, 2009.

  1. CarbonCopy

    CarbonCopy New Member

    I have a directory structure like this:


    My FTP is setup so the user is chrooted to their home dir, /home/user with symlinks to the domains they are allowed in, for example:

    /home/user1/ -> /www/
    /home/user1/ -> /www/
    /home/user2/ -> /www/

    Now I want it so when PHP scripts execute, user2 cannot access files in user1's folders, and user1 cannot access files in user2's folder

    Not even directory listings

    So how, in detail would I do this, or is there a guide to do this (Using apache 2.2 and PHP5).

    I would prefer not having all my apache files in 1 directory, but I suppose I could give it a try. I only have 1 active site on my server, so some downtime isn't too big of a deal, but I would still rather not do it that way.


  2. falko

    falko Super Moderator ISPConfig Developer

  3. CarbonCopy

    CarbonCopy New Member

    I tried that and was still able to get a directory listing of /etc/

    //define the path as relative
    $path = "/etc";
    //using the opendir function
    $dir_handle = @opendir($path) or die("Unable to open $path");
    echo "Directory Listing of $path<br/>";
    //running the while loop
    while ($file = readdir($dir_handle)) 
       echo "<a href='$file'>$file</a><br/>";
    //closing the directory
  4. falko

    falko Super Moderator ISPConfig Developer

    Then you didn't implement safe mode correctly.
  5. CarbonCopy

    CarbonCopy New Member

    phpinfo() tells me safe mode is on, how else should I implement it?
  6. falko

    falko Super Moderator ISPConfig Developer

    Try something like this:

    php_admin_flag safe_mode On
    php_admin_value open_basedir /www/
    php_admin_value file_uploads 1
    php_admin_value upload_tmp_dir /www/
    php_admin_value session.save_path /www/
  7. CarbonCopy

    CarbonCopy New Member

    That makes sense, but how can I do it on a per site basis?
  8. falko

    falko Super Moderator ISPConfig Developer

    You'd have to add this to each vhost.
  9. Ben

    Ben ISPConfig Developer ISPConfig Developer

    But then this has nothing to do with safe mode as open_basedir restricts the access directories afaik without safe_mode as well.

Share This Page