0

Im trying to figure out if there is a way I can allow include files to a certain directory outside of the open_basedir by allowing the path in open_basedir, but at the same time, prevent fopen, file_get_contents, etc from opening files in those directories.

The idea is to prevent malicious clients from stealing the source code for the platform they only have license use of, and moving it to a different server without authorization.

Since the accounts are chrooted they cannot run shell_exec system commands or otherwise access the files from the shell, however since I have to allow them in open basedir to include the files, someone could write a script to replicate the file structure of the include path in the local account, and then ftp it down.

I would like to prevent that from being possible, if possible.

Disabling fopen etc is not an option.

Rick Kukiela
  • 1,135
  • 1
  • 15
  • 34
  • Both are read access, so I doubt you could accomplish this. If your goal is security, you could create a localhost REST service for them to access? – Steven Moseley Aug 18 '16 at 19:35
  • not possible. `include` is basically `$code = file_get_contents(...); eval($code)`, and `file_get_contents()` is basically just a wrapper around `fopen(); fread(); fclose();`. There is NO way to differentiate between "fopen to run code" and "fopen to copy code" – Marc B Aug 18 '16 at 19:36
  • Another idea - you could potentially edit the php source and recompile it on your server to throw an exception when fopen is called with a specific path pattern, here: https://github.com/php/php-src/blob/master/main/fopen_wrappers.c – Steven Moseley Aug 18 '16 at 19:45

1 Answers1

1

Here's a long-shot:

  1. Download PHP SRC: https://github.com/php/php-src/

  2. Modify the php_check_specific_open_basedir function in https://github.com/php/php-src/blob/master/main/fopen_wrappers.h

To add this line, which returns -1 when your path is accessed:

PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path)
{
    if (basedir == '/path/to/your/protected/area/') {
        return -1;
    }
  1. Then make/build/install PHP on your server with your src edits
Steven Moseley
  • 15,871
  • 4
  • 39
  • 50
  • This is a great idea, though I'm not sure if its realistic for me at this time since I'm using a managed cpanel hosting account which is managed by easy apache. I'll keep this in the back pocket for later on down the road. It would be nice if the PHP gods would just add this feature to be configurable in the php.ini file ;) – Rick Kukiela Aug 19 '16 at 02:29
  • @SublymeRick I can't say for certain, as it's low-level code you're touching. It seems to me it should still work, though, as it would make sense that PHP `include` would use C's `fopen` rather than PHP's encapsulation of it. – Steven Moseley Aug 19 '16 at 15:25