You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Graham Frank <gf...@neoservers.com> on 2006/01/19 03:13:00 UTC

[users@httpd] php_admin_flag question

Hello.

I am trying to restrict a open_basedir to the document root of the domain.
So I have the following in httpd.conf.

<Location />
  php_admin_value open_basedir /
</Location>

That isn't working.  I've tried it using <Directory /> as well.  I'm still
able to fopen("/etc/passwd");  How could I make it so that a person in say
/home/username/domain.com can only include from /home/username/domain.com
and not /etc/passwd (for example)?  I would turn on safe_mode, but files are
uid:gid the client's FTP account while apache doesn't suexec to their
username and runs httpd:httpd.

Thanks!

-------------------------------------------------------------------
Graham Frank
Neoservers LLC (http://www.neoservers.com/)
Founder and Owner


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] php_admin_flag question

Posted by Graham Frank <gf...@neoservers.com>.

Heh, what's funny is that the PHP docs actually suggest that (but using Directory).

Anyway, I've come up with another solution, so this is resolved.

-Graham Frank


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] php_admin_flag question

Posted by Joe Orton <jo...@redhat.com>.

On Wed, Jan 18, 2006 at 08:13:00PM -0600, Graham Frank wrote:
> I am trying to restrict a open_basedir to the document root of the domain.
> So I have the following in httpd.conf.
> 
> <Location />
>   php_admin_value open_basedir /
> </Location>

open_basedir takes a filesystem path, that directive has no effect at 
all.  open_basedir itself is not a reliable security barrier in any 
case, see http://www.php.net/security-note.php.

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org