I coulnd't find anything on the internet how to create seperate php jails so I can create a "webspace" directory for someone in /var/www/html/ and their scripts cannot leave their webspace directory so that that folder is the root for php scripts in it and I can securely upload my scripts in another directory and its impossible for the person to access files outside their directory. Is there a solution how to create seperate jails or do i have to use UserDir ?
You could make use of open_basedir setting
<Directory /var/www/html>
php_admin_value open_basedir "/var/www/html"
</Directory>
See this page for more info: http://php.net/manual/en/ini.core.php#ini.open-basedir
Related
Is it a way to start a Laravel project in another folder? For example:
instead of C:/xampp/htdocs
to D:/projects/web/project1
So after I download Laravel with composer to my D:/projects/web/project1 folder I want to reach it as: http://project1.local in my browser.
I added 127.0.0.1 project1.local to my hosts but it only opens xampp in the browser.
Suggestions, ideas?
You need to indicate to xampp that your site will be sited outside the documentroot folder (where all the sites in your server are located).
In your httpd.conf file add these lines, which will allow to you to access the site via http://localhost/laravel.project:
Alias /laravel.project "D:/projects/web/project1/public"
<Directory "D:/projects/web/project1/public">
Options FollowSymlinks
AllowOverride none
Require all granted
</Directory>
If you want to get access directly, via a uri like http://laravel.project, you must create a VirtualHost.
I want to run a php file with Heroku Scheduler. What are some methods to ensure that not just anyone can come along and execute the file? Is there a way to put stuff above the web root ('www' with a php app)?
The easiest way to accomplish this is to use a .htaccess file in your project's root directory to ensure that these files are not accessible through Apache. Scheduler will still be able to execute them.
<Directory /app/www/DIRECTORY_NAME>
Order Deny,Allow
Deny from All
</Directory>
With DIRECTORY_NAME being the name you've put these PHP files in.
Is it possible to scan /home/ directory with opendir and scandir. When i try to exec script it says permission denied what should i do?
<?php
$dir = '/home/';
$dirs = scandir($dir);
?>
<pre>
<?php print_r($dirs); ?>
</pre>
You can use is_readable('/home/') to check if you have permission. If not you'd need to make sure the directory has read privileges, probably 0755 (rwxr-xr-x)
For security, PHP defines a 'basedir', below which you are not allowed to access. As Aleks G says, there is also the file permissions to consider.
This question talks about how to get around basedir restrictions: How can I relax PHP's open_basedir restriction?
Tom Haigh's answer copied to here:
You can also do this easily on a per-directory basis using the Apache (assuming this is your web server) configuration file (e.g. httpd.conf)
<Directory /var/www/vhosts/domain.tld/httpdocs>
php_admin_value open_basedir "/var/www/vhosts/domain.tld/httpdocs:/var/www/vhosts/domain.tld/zend"
</Directory>
you can also completely remove the restriction with
<Directory /var/www/vhosts/domain.tld/httpdocs>
php_admin_value open_basedir none
</Directory>
I'm not a PHP programmer, but I think your problem is that when PHP tries the opendir, it is running with the same user ID as apache has, which may not have permission to read your /home directory.
You could fix that by altering the permissions on /home, or adding the apache userid to whatever group has group ownership of home.
Possibly it is a problem in your Apache configuration file. Even if the filesystem permissions would permit it, your httpd.conf file may not allow access to /home. That would usually be the case if all of your HTML files are in /var/www.
The httpd.conf might be set up to allow serving files out of your users' home directories. In that case the permission would be granted for directories within /home but not for /home itself.
The answer is in your question: it's a permission problem. Most likely, the process under which Apache is running does not have permission to read /home directory (or your usernamd, if running in CLI). Manually do this in a terminal:
ls -ld /home
and check the attributes.
I'm loading my files (pdf, doc, flv, etc) into a buffer and serving them to my users with a script. I need my script to be able to access the file but not allow direct access to it. Whats the best way to achieve this? Should I be doing something with my permissions or locking out the directory with .htaccess?
The safest way is to put the files you want kept to yourself outside of the web root directory, like Damien suggested. This works because the web server follows local file system privileges, not its own privileges.
However, there are a lot of hosting companies that only give you access to the web root. To still prevent HTTP requests to the files, put them into a directory by themselves with a .htaccess file that blocks all communication. For example,
Order deny,allow
Deny from all
Your web server, and therefore your server side language, will still be able to read them because the directory's local permissions allow the web server to read and execute the files.
That is how I prevented direct access from URL to my ini files. Paste the following code in .htaccess file on root. (no need to create extra folder)
<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>
my settings.ini file is on the root, and without this code is accessible www.mydomain.com/settings.ini
in httpd.conf to block browser & wget access to include files especially say db.inc or config.inc . Note you cannot chain file types in the directive instead create multiple file directives.
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
to test your config before restarting apache
service httpd configtest
then (graceful restart)
service httpd graceful
Are the files on the same server as the PHP script? If so, just keep the files out of the web root and make sure your PHP script has read permissions for wherever they're stored.
If you have access to you httpd.conf file (in ubuntu it is in the /etc/apache2 directory), you should add the same lines that you would to the .htaccess file in the specific directory. That is (for example):
ServerName YOURSERVERNAMEHERE
<Directory /var/www/>
AllowOverride None
order deny,allow
Options -Indexes FollowSymLinks
</Directory>
Do this for every directory that you want to control the information, and you will have one file in one spot to manage all access. It the example above, I did it for the root directory, /var/www.
This option may not be available with outsourced hosting, especially shared hosting. But it is a better option than adding many .htaccess files.
To prevent .ini files from web access put the following into apache2.conf
<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>
How about custom module based .htaccess script (like its used in CodeIgniter)? I tried and it worked good in CodeIgniter apps. Any ideas to use it on other apps?
<IfModule authz_core_module>
Require all denied
</IfModule>
<IfModule !authz_core_module>
Deny from all
</IfModule>
I am on a shared hosting package on a LAMP stack with no shell access.
I can create symlinks using PHP's symlink() function.
Let's say my web root is /home/www/user1/public
Let's say I have a real directory named /home/www/user1/public/real_dir
And I create a symlink named /home/www/user1/public/fake_dir pointing to real_dir
Why would I get a 403 Forbidden when trying to access www.mydomain.com/fake_dir but not when trying to access www.mydomain.com/real_dir?
It shouldn't be a rights problem because when I create a file in PHP, I can access that all right.
I tried switching FollowSymlinks off and on in .htaccess (it was on), but no luck.
Could it be that FollowSymlinks is defined as not overwritable in a .htaccess file? Or is there something else to be aware of when working with Symlinks in Apache?
Apache has to be configured to allow access to the directory on the filesystem. This has to be done by a system administrator by inserting a <Directory> directive in the apache configuration files (httpd.conf).
Since the real directory is inside the web root it must be accessible, but FollowSymLinks may not have been enabled for the directory - this also has to be added to the <Directory> directive.
See http://httpd.apache.org/docs/2.0/mod/core.html#directory
This is possible SELinux security issue.
cat /selinux/enforce
if the value is 1, set it to 0, then restart apache.