multi-user php setup problem

**Czapi** · Feb 8 '07, 09:55 AM

Re: multi-user php setup problem

cmk128@hotmail. com wrote:

My problem is : if user A is uploaded a php file, user A can use php
to read user B directory. How can i isolate them?
That mean if there is php file in /phpspace/usera/index.php, how can i
make it can read the directory phpspace/usera only?

Simply use umask or force files to have specific access rights:

user not in group www,
web server user in group www,
files group: www,
files mode: rw-r----- (640).

Simple - user won't be able to read...

And for a more secure option man chroot (use apaches virtualhost directive).

Safe mode might help as well.

--
Cz.

**Dikkie Dik** · Feb 8 '07, 12:25 PM

Re: multi-user php setup problem

Hi

I have built a free-php-space website, after the user is
registered, he will have 100MB php space. the server is linux+apache.
The location of the user's file is in:
>
/phpspace/<username>
>
My problem is : if user A has uploaded a php file, user A can use php
to read user B directory. How can i isolate them?

You can't. In fact, it is not user A who put the file there. Uploading
works as follows: The file sent by the browser is put in the server's
temp directory. From there, you use the move_uploaded_f ile() function to
put it in, say /phpspace/usera/. It is the webserver-system-user (such
as "apache") who put the file in that directory.

That mean if there is php file in /phpspace/usera/index.php, how can i
make it can read the directory phpspace/usera only?

If /phpspace/usera/ is publicly visible (from the browser, I mean), then
everyone can access the file. Therefore, it is better to put these user
directories outside the webroot. In that case, only the server can reach
them, and you can do any user management in PHP.

Best regards

**Jerry Stuckle** · Feb 8 '07, 01:25 PM

Re: multi-user php setup problem

cmk128@hotmail. com wrote:

Hi
I have built a free-php-space website, after the user is
registered, he will have 100MB php space. the server is linux+apache.
The location of the user's file is in:
>
/phpspace/<username>
>
My problem is : if user A is uploaded a php file, user A can use php
to read user B directory. How can i isolate them?
That mean if there is php file in /phpspace/usera/index.php, how can i
make it can read the directory phpspace/usera only?
>
thanks
from Peter (cmk128@hotmail .com)
>

Try asking in alt.apache.conf iguration. You can limit access through
your apache config file.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**cmk128@hotmail.com** · Feb 9 '07, 08:45 AM

Re: multi-user php setup problem

On 2æœˆ8æ—¥, ä¸‹åˆ5æ™‚43åˆ† , Czapi <c....@ask.mewr ote:

cmk...@hotmail. com wrote:

My problem is : if user A is uploaded a php file, user A can use php
to read user B directory. How can i isolate them?
That mean if there is php file in /phpspace/usera/index.php, how can i
make it can read the directory phpspace/usera only?

>
Simply use umask or force files to have specific access rights:
>
user not in group www,
web server user in group www,
files group: www,
files mode: rw-r----- (640).
>
Simple - user won't be able to read...
>
And for a more secure option man chroot (use apaches virtualhost directive).
>
Safe mode might help as well.
>
--
Cz.

Hi Cz
My english is too bad, so let you misunderstand. I think virtual
host doesn't help, because they are all in the same virtual host.
Let me try to explain my question again: I have a website
myhost.mydomain .com, there are two php files:

404 Not Found

http://myhost.mydomain.com/usera/a.php

404 Not Found

http://myhost.mydomain.com/userb/b.php

suppose a.php is located in /usera/a.php.
How can i make a.php can only fread() it's own directory, rather than
the whole harddisk.

thanks
from Peter (cmk128@hotmail .com)

**Toby A Inkster** · Feb 9 '07, 12:45 PM

Re: multi-user php setup problem

cmk128 wrote:

I have built a free-php-space website, after the user is
registered, he will have 100MB php space.

What you say that the user is registered, do you mean they are set up as a
real user on your server, with an entry in "/etc/passwd"? If so, then
PHP's "safe mode" is your friend.

If not, then you're using a "homebrewed " idea of what a user is, so you're
probably going to have to use some homebrewed protection, probably
involving chroot.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/CSS/Javascript/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

multi-user php setup problem

multi-user php setup problem

Comment

Comment

Comment

Comment

Comment