You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jacob Miller <ja...@denjak.com> on 2005/05/01 02:13:54 UTC

[users@httpd] Keep php from reading into other virtualhosts document roots

I was hoping perchild MPM would be my savior, but alas, it was not to be.  
Here's what I want to do:
I have about 10 Virtual Hosts.  They all need/want to use PHP.  My problem
is that users on www.denjak.com can write a simple PHP script to ls or cat
files on www.banditlair.com.  The directories are setup in this fashion:
/www/www.denjak.com/htdocs
/www/www.banditlair.com/htdocs
/www/www.etc,etc.com/htdocs

I want to keep virtual hosts from being able to read outside the document
root or at least the base www.whatever.com directory.  Since most of my
virtual hosts are owned by me I'm really not worried yet, but I was hoping
to let some frieds host domains on my server.  I was hoping perchild or
metux MPM would do the trick but I can't get either of them to work.  Is
there anyway for this to be done?  Is there anything like perchild or metux
MPM in the works for apache 2.1 or beyond?  I would imagine this would be
pretty valuable if it actually worked.
Thanks,
Jake Miller


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Keep php from reading into other virtualhosts document roots

Posted by "oxfordmusic.net" <li...@oxfordmusic.net>.

> On 4/30/05, Chris <> wrote:
>> Try PHPs Safe Mode:
>>
>> http://www.php.net/features.safe-mode
>>
>> It looks like open_basedir is the config option that would work for you.
>

AFAIK open_basedir is not limited to PHP's safe mode but can be applied 
whether safe mode is on or off.

andy 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Keep php from reading into other virtualhosts document roots

Posted by Joshua Kugler <jo...@uaf.edu>.

There also is the option of not using mod_php and running all PHP scripts via 
the PHP command line binary.  If you have just a few users and a fast 
computer, you shouldn't notice the overhead.

j----- k-----

On Sunday 01 May 2005 05:49, Jacob Miller wrote:
> Thanks, I really want to separate everything about the vhosts, so I think
> I'll run them on different ports.  I hadn't even thought of that.
> Thanks for the help.
> Jake

-- 
Joshua Kugler
CDE System Administrator
http://distance.uaf.edu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Keep php from reading into other virtualhosts document roots

Posted by Jacob Miller <ja...@denjak.com>.

Thanks, I really want to separate everything about the vhosts, so I think
I'll run them on different ports.  I hadn't even thought of that.
Thanks for the help.
Jake

-----Original Message-----
From: Joshua Slive [mailto:jslive@gmail.com] 
Sent: Saturday, April 30, 2005 10:16 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Keep php from reading into other virtualhosts
document roots

On 4/30/05, Chris <li...@leftbrained.org> wrote:
> Try PHPs Safe Mode:
> 
> http://www.php.net/features.safe-mode
> 
> It looks like open_basedir is the config option that would work for 
> you.

Yes, I believe that's how most people do this.

If you really want to give alternative permissions to these other vhosts,
then you can run them from a separate instance of apache on a high-numbered
port with whatever User/Group you want, then have the main apache instance
proxy the requests back to them.  This is essentially what perchild/metux do
anyway.  They just do it in a slightly more streamlined fashion.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info. To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Keep php from reading into other virtualhosts document roots

Posted by Joshua Slive <js...@gmail.com>.

On 4/30/05, Chris <li...@leftbrained.org> wrote:
> Try PHPs Safe Mode:
> 
> http://www.php.net/features.safe-mode
> 
> It looks like open_basedir is the config option that would work for you.

Yes, I believe that's how most people do this.

If you really want to give alternative permissions to these other
vhosts, then you can run them from a separate instance of apache on a
high-numbered port with whatever User/Group you want, then have the
main apache instance proxy the requests back to them.  This is
essentially what perchild/metux do anyway.  They just do it in a
slightly more streamlined fashion.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Keep php from reading into other virtualhosts document roots

Posted by Chris <li...@leftbrained.org>.

Try PHPs Safe Mode:

http://www.php.net/features.safe-mode

It looks like open_basedir is the config option that would work for you.

Chris

Jacob Miller wrote:

>I was hoping perchild MPM would be my savior, but alas, it was not to be.  
>Here's what I want to do:
>I have about 10 Virtual Hosts.  They all need/want to use PHP.  My problem
>is that users on www.denjak.com can write a simple PHP script to ls or cat
>files on www.banditlair.com.  The directories are setup in this fashion:
>/www/www.denjak.com/htdocs
>/www/www.banditlair.com/htdocs
>/www/www.etc,etc.com/htdocs
>
>I want to keep virtual hosts from being able to read outside the document
>root or at least the base www.whatever.com directory.  Since most of my
>virtual hosts are owned by me I'm really not worried yet, but I was hoping
>to let some frieds host domains on my server.  I was hoping perchild or
>metux MPM would do the trick but I can't get either of them to work.  Is
>there anyway for this to be done?  Is there anything like perchild or metux
>MPM in the works for apache 2.1 or beyond?  I would imagine this would be
>pretty valuable if it actually worked.
>Thanks,
>Jake Miller
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>  
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org