1

I have a file sharing website in the making where I am allowing the visual and function part of pages work. This runs into a problem when I want to allow server side scripting like php pages to be uploaded. This php (etc.) page could easily back link and delete files which I obviously would not want. I have changed the permissions many times to test but this also stops my php files from uploading and renaming files to these folders. I do want to allow these file types but im not sure what I can do.

I was thinking I could do this through .htaccess but I wouldn't know how.

Any suggestions?

Spencer May
  • 4,266
  • 9
  • 28
  • 48

3 Answers3

3

I'm not sure, but it sounds like you want to allow arbitrary file uploads (including .PHP scripts) but to prevent any of them from being executed on the server side.

I would recommend creating a file storage directory that is not web-accessible (e.g. put it outside your www-root or use a .htaccess file to limit direct access). Then have your PHP scripts upload to that directory. Create a download script and have download access to those files go through that script, so that e.g. PHP files cannot be invoked remotely.

asmecher
  • 1,055
  • 7
  • 12
  • This could work but the problem is that I want web files to be displayed visually. I have this programmed perfectly to where web files are displayed and others are downloaded. This means that these files are accessed and displayed into a user.php page which loads user data and makes their page. So by making the files non web accessible and from being executed that means that php files would not work at all for the user. I just want to limit their functions from going up directories outside of their own :/ – Spencer May Jan 09 '13 at 21:38
  • If you just want HTML to be displayed visually (i.e. preserving hrefs to images and the like), you can do that using rewrite to keep relative URLs from breaking. However, it does sound like you want PHP scripts to be able to run, with limitations. This used to be possible in a limited fashion with safe mode, but that was deprecated and removed because it was broken, and as far as I know there's no safe alternative. If you want your PHP script to allow user-supplied PHP code to run, I think you're not going to be able to do it securely. – asmecher Jan 10 '13 at 00:01
  • Actually, I may have spoken too soon; see [runkit](http://php.net/manual/en/runkit.sandbox.php). – asmecher Jan 10 '13 at 00:04
  • I checked it out and it seems to be a sort of a way to stop variable passing and such but I'm not sure it's what I need. I want all functions allowed and not just php, also asp and all serer side scripting. I just want a way to stop any functions from reaching up a directory either from folder permissions or code. Thanks for your input. – Spencer May Jan 10 '13 at 02:04
  • That's an extremely tall order; I'm not sure what the background is, so I'm not sure how firm that requirement is, but if there's any chance to reexamine it I would do so. Technically you may be able to do it by getting each scripting environment to execute in a setuid environment but I doubt it's going to justify the amount of work. – asmecher Jan 10 '13 at 06:59
1

I think it's not about permission, but php execution. You can turn off php engine on a directory using .htaccess file, like this:

<IfModule mod_php5.c>
    php_flag engine off
</IfModule>
ihsan
  • 2,279
  • 20
  • 36
  • Would this allow me to still execute TO the folder? But just keep the files in the folder from executing? I tried to use this in my .htaccess file but it didn't work :/ – Spencer May Jan 15 '13 at 13:26
  • Execute TO the folder, yes. You also have to allow IfModule and php_flag in that folder using `AllowOverride All` in apache config. – ihsan Jan 16 '13 at 06:49
1

If I understand correctly from reading comments:

You want users to be able to upload any file. Including code. Including .php, .asp etc. You want the users to be able to execute this code, but to limit the code to a "sandbox" environment.

Seems to me you should write your files to a specific location, which has its own document root/vhost (http://exec.domain.tld).

On that vhost you could set security, ie:

AllowOverride None # disable rewriting and such
php value disable_functions dl,exec,passthru,system,shell_exec,popen # disable functions

And to top it off (!important) set basedir restrictions to the vhosts document root

<Directory /srv/www/exec.domain.tld/docroot>
  php_admin_value open_basedir /srv/www/exec.domain.tld/docroot 
</Directory>

I haven't actually set up this environment, but I feel this is your best starting point. And I do think it'll work, if you fix the typo's/parameter name errors i might have made :)

Damien Overeem
  • 4,487
  • 4
  • 36
  • 55
  • You are correct on what I want, but I have no idea how to do this. – Spencer May Jan 19 '13 at 21:32
  • If you want user uploaded to be executed on your server, you better make sure you get an idea on how to do the above. Security in your case is paramount. Not knowing how to configure your webserver/permissions makes it a sure bet that you will get hacked somewhere along the line. – Damien Overeem Jan 21 '13 at 09:53