You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Graham Frank <gf...@neoservers.com> on 2006/01/19 03:13:00 UTC
[users@httpd] php_admin_flag question
Hello.
I am trying to restrict a open_basedir to the document root of the domain.
So I have the following in httpd.conf.
<Location />
php_admin_value open_basedir /
</Location>
That isn't working. I've tried it using <Directory /> as well. I'm still
able to fopen("/etc/passwd"); How could I make it so that a person in say
/home/username/domain.com can only include from /home/username/domain.com
and not /etc/passwd (for example)? I would turn on safe_mode, but files are
uid:gid the client's FTP account while apache doesn't suexec to their
username and runs httpd:httpd.
Thanks!
-------------------------------------------------------------------
Graham Frank
Neoservers LLC (http://www.neoservers.com/)
Founder and Owner
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] php_admin_flag question
Posted by Graham Frank <gf...@neoservers.com>.
Heh, what's funny is that the PHP docs actually suggest that (but using Directory).
Anyway, I've come up with another solution, so this is resolved.
-Graham Frank
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] php_admin_flag question
Posted by Joe Orton <jo...@redhat.com>.
On Wed, Jan 18, 2006 at 08:13:00PM -0600, Graham Frank wrote:
> I am trying to restrict a open_basedir to the document root of the domain.
> So I have the following in httpd.conf.
>
> <Location />
> php_admin_value open_basedir /
> </Location>
open_basedir takes a filesystem path, that directive has no effect at
all. open_basedir itself is not a reliable security barrier in any
case, see http://www.php.net/security-note.php.
joe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org