0

I've set up all of my sites in different /var/www subdirectories. Let's say I have 5 sites based in a CMS like WordPress in /var/www/a.com, /var/www/b.com, /var/www/c.com, /var/www/d.com and /var/www/e.com.

But I've found out that if I give admin permissions to someone in a.com, with certain plugins, they can get access to crawl down to /var/www, and access a different directory, lets say /var/www/c.com, therefore they can gain access by reading for example the config file (wp-config.php) in case of WordPress, because ultimately the directory listings plugins do it via the web server, which may have group access permissions.

The only solution I find is to restrict full access both to guest and group just in this file, so technically it will be only accessible via SSH with root access, but this may lead to errors since web server won't be able to access unless the web server user is the owner.

This leads me to the conclusion that there is an inherent risk if you host multiple sites in the same host, and they run the same web server daemon. But there should be a solution, because this is done by hundreds of web hostings all around the world.

Can anyone recommend me a solution given this scenario?

KazikM
  • 215
  • 1
  • 3
  • 11
SirLouen
  • 1
  • 5

2 Answers2

0

The simplest way if you use PHP and you want to block any php script to browse other directories than the one of your current website, you can use open_basedir

More info : https://www.php.net/manual/en/ini.core.php#ini.open-basedir

Edit: To be more secure like Gerald Schneider said, add your open_basedir on your webserver config or your php pool.

Add a .user.ini file on your website folder and change owner permission to do not let your webserver or php to edit/delete this file.

example : /var/www/a.com/.user.ini

Add something like this :

open_basedir = "/var/www/a.com:/tmp"

So it means, for PHP, it won't be able to parse something outside of these paths (/var/www/a.com and /tmp, needed for upload).

Check your php.ini to enable this configuration file, to check it, execute a phpinfo() and check user_ini.filename

More info : https://www.php.net/configuration.file.per-user

This tips protect you only against PHP script who use PHP functions and you don't need to change any directory permission but if someone want to execute a batch script with PHP it can parse other folders, if you use sftp, ftp or something else to browse your files, this rule won't work.

Maxence
  • 197
  • 1
  • 1
  • 13
  • That's absolutely useless. An attacker only needs to delete the .ini file and has access to the whole server again. – Gerald Schneider Jan 08 '21 at 10:25
  • Configuring `open_basedir` is a good start, but it should be configured in the Apache configuration on the VirtualHost level, and PHP should be configured that it can't be overridden by the user. – Gerald Schneider Jan 08 '21 at 10:27
  • Of course don't give write permission .user.ini of your webserver or php... – Maxence Jan 08 '21 at 10:35
  • Most CMS, especially WordPress need write access to their main directory. If you have write access to the directory you can delete the file. – Gerald Schneider Jan 08 '21 at 10:38
  • So what @GeraldSchneider and Maxence is the combination of "open_basedir" within the VirtualHost, example: php_admin_value open_basedir /var/www/a.com – SirLouen Jan 09 '21 at 11:30
0

The solution was to use PHP FPM pools so each directory will be running with a different user.

I forgot to write about this before but this is how I solved my issue and now the files permissions make sense because I can have a huge control over both owner, group and guest permissions as intended in the UNIX classic filesystem permission control.

SirLouen
  • 1
  • 5