0

I installed Apache with FastCGI (mod_fastcgi), suExec and PHP on my local development box. Working perfectly, except one thing.

Let's say I have two users:

user1 - /home/user1/public_html
user2 - /home/user2/public_html

I discovered a serious security hole in my configuration: I can include a file from user2 web root in user1 file. How to prevent? Any tips?

php-cgi process is running under correct user.

Alex Berry
  • 2,307
  • 13
  • 23
Jari V.
  • 13
  • 1
  • 3

3 Answers3

0

I would suggest you set the base_path within your VirtualHost:

php_admin_value open_basedir /usr/local/www/sixeightzero
Mike Mackintosh
  • 272
  • 3
  • 12
0

If the aim is to run php under the name of the users, to separate them then try apache2-mpm-itk, it is far more easy to deploy then fast-cgi and works great.

To use you need only to add this line to the virtualhost configuration:

AssignUserId someuser somegroup

You can also set MaxClientsVHost and NiceValue if you like.

Stone
  • 7,011
  • 1
  • 21
  • 33
0

The only way to do it right is to forbid one user to read files from homedir of another user but leaving them readable to webserver.

You can accomplish this by (example):

mount file system with acl options: mount -o acl /dev/sda /home

Allow webserver to access it:

setfacl -m u:nobody:r-x /home/user1

setfacl -m u:nobody:r-x /home/user2

Allow owner to read it:

setfacl -m u:user1:r-x /home/user1

setfacl -m u:user2:r-x /home/user2

Andrei Mikhaltsov
  • 3,027
  • 1
  • 23
  • 31