SECURITY issue with Virtual hosting with Proftpd & Mysql Hi all, I'm also running a server with virtual hosting, based on the tutorial using proftpd and mysql: http://www.howtoforge.com/proftpd_mysql_virtual_hosting I got it all running fine, multiple uses, and all are kept securely jailed in their home directories when the ftp connect in. So they can only upload/download/view files in their home dir. However I came across a big security issue. As all the files/dirs that created by these virtual ftp users are owned by the system user: User: ftpuser Group: ftpgroup Then any user can create a small PHP script, which can traverse the directories of other users and read their files!! Here's an example, 2 virtual users have these homedirs: In /home: Code: drwxr-sr-x 3 ftpuser ftpgroup 4096 Jun 27 12:46 user1 drwxr-sr-x 3 ftpuser ftpgroup 4096 Jul 1 19:28 user2 So user1 has all their files in /home/user1/ and user2 in /home/user2 And as you can see both are owned by the ftpuser.ftpgroup. If user1 was to write a small php script, called test.php, in /home/user1/test.php, like this: PHP: $dir = "../" if ($handle = opendir($dir)) { while (false !== ($file = readdir($handle))) { if ($file != "." && $file != "..") { echo "$file<br>"; } } closedir($handle); } It would result in these dirs being displayed: user1 user2 And if the changed $dir to be: "../user2/", they could view all files under user2's directory. Basically cause everything is owned by the same system user/group. How can I get around this, as its pretty insecure, especially if one of my users happens to be a PHP developer, and decides to write some code to see what the can do on the system... Thanks, Mike.
Ok thanks, I will try that this weekend. I presume that I follow: http://nz.php.net/manual/en/features.safe-mode.php And foreach virtual host, set things like 'safe_mode_include_dir ' and 'safe_mode_exec_dir ', and 'open_basedir'
Yes. Something like this should work: Code: php_admin_flag safe_mode On php_admin_value open_basedir /var/www/web1/ php_admin_value file_uploads 1 php_admin_value upload_tmp_dir /var/www/web1/phptmp/ php_admin_value session.save_path /var/www/web1/phptmp/ Of course, you must adjust the paths.
Excellent, thanks That worked well. Glad to have that security flaw fixed up, now I can rest easy knowing users my servers can't read/view anything they aren't allowed to!