security issue using suphp with php filemanager

Discussion in 'Installation/Configuration' started by edwintenhaaf, Aug 17, 2007.

  1. edwintenhaaf

    edwintenhaaf New Member

    Hello,

    I took me a while to get suphp running on my Strato VPS server with debian Etch but now it's working almost perfect.

    I have one 'litle' problem. When using a php filemanager users can browse out of there own webx folder en go into other users folders and read al files, some with passwords in it. like config.php for use with Joomla.

    How to solve this. I can't be the only one with this problem ?

    Edwin
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can specify a custom php.ini file for suphp in the apache directives field of the website and then set a php open basedir value for the website that prevents file system browsing.
     
  3. edwintenhaaf

    edwintenhaaf New Member

    Thanks again for the quick reply

    Found the open_base_dir in php.ini and played around with it.
    Users are now 'chrooted' to /var/www/ but that's nog the solution you mentioned.

    Do i put a copy of the original php.ini in the /var/www/webx folder
    edit the openbasedir value
    copy the directive PHPIniDir "/var/www/webx " into the apache directive field under that domain in ispconfig ?
     
  4. edwintenhaaf

    edwintenhaaf New Member

    Got it working !

    the directive to use in apache is:

    suPHP_ConfigPath /var/www/webX/etc

    create the custom php.ini in /var/www/webX/etc
    set permissions to rw-r--r-- 0644 root:root so users cannot remove or edit.
    (is it possible to put it in a folder out of the users web dir ?)

    Add the follwowing line to this php.ini

    PHP:
    open_basedir =/var/www/webX/

    Restart apache

    Now users are chrooted to their own folder 
    and even with a PHP filemanager they can't escape :)

    I'
    m happydiskquota's are working fine because of suphp and the security is better.
     

Share This Page