I'm configuring a multidomain web server using Apache virtual hosts and suEXEC (Centos 6.5, Apache 2.2.5 and PHP 5.3.3).
I want to prevent PHP to access folders/files above the website directory. I will explain step by step what are my settings and at last what's the problem.
This is the folder structure that I'm using:
/var/www/domain.com/public_html/
Inside /var/www/ I've got this:
drwxr-xr-x 2 root root 4.0K Aug 13 13:30 cgi-bin/
drwxrwxr-x 4 apache apache 4.0K Jan 28 09:16 site1.com/
drwxrwxr-x 4 apache apache 4.0K Jan 28 08:44 site2.com/
drwxr-xr-x 4 apache apache 4.0K Jan 30 11:08 site3.com/
and inside /var/www/site1.com/:
drwxr-xr-x 2 apache apache 4.0K Jan 30 10:16 logs/
drwxr-xr-x 3 user1 user1 4.0K Jan 30 11:08 public_html/
The virtual host definition for site1.com inside httpd.conf is:
<VirtualHost *:80>
ServerAdmin info#site1.com
DocumentRoot /var/www/site1.com/public_html
ServerName www.site1.com
ServerAlias site1.com
ErrorLog /var/www/site1.com/logs/error_log
CustomLog /var/www/site1.com/logs/access_log common
php_flag log_errors on
php_flag display_errors on
php_value error_log /var/www/site1.com/logs/php_errors.log
<Directory "/var/www/site1.com/public_html">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
SuexecUserGroup user1 user1
AddHandler application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php-cgi
ScriptAlias /cgi-bin/ /var/www/site1.com/public_html/cgi-bin/
<Directory "/var/www/site1.com/public_html/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
But, I wrote and executed this php script (www.site1.com/test.php)
<?php
system("id");
print "<pre>";
system("ls /var/www");
print "</pre>";
?>
and I get:
uid=503(user1) gid=503(user1) groups=503(user1)
site1.com
site2.com
site3.com
That means that PHP can access any folder in my server (including /etc /var /usr, etc)
I'd like to prevent Apache/PHP to access all folders above /var/www/site1.com
How should I configure Apache?
I've done an extensive google research about this issue, but I couldn't find the solution.
Thanks a lot.
Running on production, you should really be using something like:
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
in your php.ini file. Allowing things like system or exec represents a real security flaw.
You also want to use something like:
php_admin_value open_basedir /var/www/site1.com/
In your Apache vHost conf, to prevent PHP from overstepping its desired boundaries...
As it stands, I could upload a PHP file as user1 to /var/www/site1.com/public_html/attacker.php, that contains:
<?php
chmod("/var/www/site2.com", 777);
?>
Then, open up my browser and navigate to http://site1.com/attacker.php. Apache would pass this off to PHP quite happily, run it, and as Apache owns /var/www/site2.com is quite capable of changing the permissions.
Bam!
user1 can now access /var/www/site2.com/, as well as anyone else with a user account on that machine. It could then hijack the site, creating new files to host bitcoin mining operations, sell Viagra, etc., etc.
Note: Even if you trust your users not to do anything malicious, there's no guarantee that a third party can't gain access to their account and do something like this. Best way to deal with it is to contain a compromised account, so it can't do too much damage to the system at large.
For more info, check out:
http://php.net/manual/en/ini.core.php#ini.open-basedir
https://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/
Related
Read almost all questions here, but no solution found. This drives me crazy already to do such simple stuff to run PHP on my localhost...
You don't have permission to access this resource.Server unable to
read htaccess file, denying access to be safe
ls -l
-rwxrwxrwx 1 user user 51 sep 27 14:42 .htaccess
ls -l
drwxrwxr-x 2 user user 4096 sep 27 15:17 www
Any help appreciated!
Check if there is an .htaccess file inside the www folder (and its permissions), since Apache looks for one at every directory up to the one where the requested file exists.
I'm coming from an Apache on Windows server background, but in regards to the .htaccess file, you can also put a "AllowOverride None" in your section of your httpd.conf file. At least in Windows, this means nothing can be overridden, therefore no need to look for .htaccess files.
You can also add a line to tell Apache that the "AccessFileName" is blank. Here are the entried I'm speaking of from my config file. I'm running a XAMPP server on Windows.
DocumentRoot "C:/xampp/htdocs"
<Directory "C:/xampp/htdocs">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride None
Require all granted
</Directory>
AccessFileName ""
I am using Fedora 24 on VirtualBox to host a small PHP web app. I am trying to append text into a file that is in the same local directory as the PHP file (/var/www/html/). No matter what kind of permissions or ownerships I try to set onto the directory (html/) or the file I constantly get "Permission denied in /var/www/html/pdf.php on line 21" errors.
Is there any configuration settings in my php.ini file that I need to enable to allow editing of files? I've even tried setting the directory and file to chmod 777 just to see if it would give me access but even that is being rejected.
EDIT: I have also tried creating directories and files in other locations with the same results. I tried to have Apache run the mkdir and touch commands with the same results.
EDIT 2: At the request of the comment left to my initial question. Here is the ownership information for the target directory:
ls -l /var/www/html/
drwxrwxr-x. 2 apache apache 4096 Nov 23 21:28 docs
The ownership information for the file:
-rwxrwxr-x. 1 apache apache 1381 Nov 28 17:47 pdf.php
Try assigning to www-data:nobody
chown -R www-data:nobody *, check apache group on your httpd.conf.
Verify /var/html perms to 775 at least.
Spent a lot of time looking for this answer but it's all in bits and pieces and no one every posts a solution (well most of the time) so here is my solution and it's used on various web control panels as well.
install and use MOD_RUID2
Install PHP with CLI (this is standard on newer versions)
In your HTTPD.CONF file in the virtual hosts, you'll add the following, replacing username with the user's login name, and usergroup with the user's group (These are usually the same)
<IfModule !mod_ruid2.c>
SuexecUserGroup username usergroup
</IfModule>
<IfModule mod_ruid2.c>
RMode config
RUidGid username usergroup
RGroups #none
</IfModule>
An example of a Virtual host conf is:
<VirtualHost *:443>
DocumentRoot "/home/imtheuser/public_html"
ServerName imtheuser.com
<IfModule !mod_ruid2.c>
SuexecUserGroup imtheuser imtheuser
</IfModule>
<IfModule mod_ruid2.c>
RMode config
RUidGid imtheuser imtheuser
RGroups #none
</IfModule>
<Directory "/home/imtheuser/public_html">
allow from all
Options None
Require all granted
</Directory>
</VirtualHost>
This will allow apache/php to write to a directory owned by the user. It's much safer then setting your chmod to 0777.
I'm having some issues with permissions when it comes to symbolic links on my apache2 webserver. I originally had a data/ in /var/www , but was it getting too large for the directory and I kept getting a partition full warning. I'd like to move the data/ folder to /home/processor/Documents/sandbox/www_data/
I moved all the data to www_data and created a symbolic link in /var/www
ln -s /home/processor/Documents/sandbox/www_data data
Checking the link:
:/var/www$ ls -l data
lrwxrwxrwx 1 processor processor 43 Mar 16 17:03 data -> /home/processor/Documents/sandbox/www_data/
An example of the data shows that all permissions seem reasonable to me:
:/var/www$ ls -l data/2/15/2015/8/25/10/54/wf/2_15_2015_8_25_10_54_11*
-rwxrwxrwx 1 processor processor 475643 Mar 16 16:58 data/2/15/2015/8/25/10/54/wf/2_15_2015_8_25_10_54_11.png
-rwxrwxrwx 1 processor processor 53539 Mar 16 16:58 data/2/15/2015/8/25/10/54/wf/2_15_2015_8_25_10_54_11_thumb.png
This is whats in between the <VirtualHost *:80> </VirtualHost> in my /etc/apache2/sites-available/000-default.conf:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options FollowSymLinks Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
But when trying too access it from the site I get "Forbidden You don't have permission to access /data/2/15/2015/8/25/9/46/wf/2_15_2015_8_25_9_46_28.png on this server."
I've read through a bunch of threads and have chown www-data:www-data, I've chmod -R 777 everything, and changed my 000-default.conf to numerous varieties of the same thing, but nothing is working. I don't know where to go from here.
Any suggestions would be greatly appreciated.
Thanks
It has to do with the permissions of /home/processor. The entire path needs a certain degree of privileges and the home directory did not have them. The only thing that needed to be done was to allow access to read and execute
sudo chmod 755 /home/processor/
Background:
I've installed apache2 and have tried set up virtual directories... but when I try to test the different sites, I keep getting 404 error messages.
The article /tutorial I've been following is located at:
https://www.digitalocean.com/community/tutorials/how-to-configure-the-apache-web-server-on-an-ubuntu-or-debian-vps
I have the following folder structure in place:
/var/www/webtest.com/test.html
/var/www/ttimes.com/test.php
In the /etc/apache2/sites-available folder, I have the following configuration files:
jmj#cp-AOA150:/etc/apache2/sites-available$ ls -lah /var/www/
total 44K
drwxr-xr-x 9 root root 4.0K Jul 28 21:37 .
drwxr-xr-x 15 root root 4.0K Jul 28 19:54 ..
drwxr-xr-x 2 root root 4.0K May 11 2013 current
drwxr-xr-x 2 root root 4.0K Apr 3 08:21 html
-rwxr-xr-x 1 root root 177 Nov 23 2013 index.html
-rwxr-xr-x 1 root root 124 Jul 28 20:14 test.php
drwxr-xr-x 5 jmj root 4.0K Jun 6 11:58 ttimes.com
drwxr-xr-x 2 jmj root 4.0K Jul 28 21:21 webtest.com
Here's what the webtest.com.conf file looks like:
<VirtualHost *:80>
ServerAdmin admin#webtest.com
ServerName webtest.com
ServerAlias www.webtest.com
DocumentRoot /var/www/webtest.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Here's what my hosts file looks like:
127.0.0.1 localhost
127.0.1.1 cp-AOA150
This is all just on a local dev box where I want to have multiple sites located under /var/www. Once the site is developed, I'm going to move them to my hosting company.
I currently don't have other IP addresses to add, so I skipped the step of adding VPS server IPs.
I am able to successfully run the
sudo a2ensite webtest.com.conf
command and I restart apache.
But when I go to my site by typing http://localhost/webtest.com/test.html, I get a 404 not found error.
What I've tried so far:
- I've reviewed the article to make sure I didn't miss any steps.
- proved that apache itself is working by going to http://localhost. When I do that, I get a page that reads:
Index of /
[ICO] Name Last modified Size Description
Apache/2.4.7 (Ubuntu) Server at localhost Port 80
Then I stop the apache service and try the same URL. It fails.
You might have to edit /etc/apache2/apache2.conf
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
and change it to;
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
then,
sudo service apache2 restart
You may need to also do sudo a2enmod rewrite to enable module rewrite.”
You have it setup as a virtual host pointing to webtest.com but you're trying to access it through localhost/. With a VirtualHost it doesn't exist in that path.
The easiest way is to edit your /etc/hosts file to make a local DNS entry for webtest.com. Add a line to that file like this:
127.0.0.1 webtest.com
Then point your browser to webtest.com and you should see your site.
I have Ubuntu 11.10 with Lamp installed
There is some files that i can't access to from my web directory "/var/www"
http://localhost/banner/banner.html
I am getting an error :
Forbidden You don't have permission to access /banner/banner.html on this server.
Apache/2.2.20 (Ubuntu) Server at localhost Port 80
I can access /var/www/index.php normally as i can browse /var/www/banner normally too from my browser
This is a small peace of :
a1a4a#A1A4a:~$ ls -l /var/www
total 7088
-rwxrwxrwx 1 root root 916 2011-11-25 20:49 access-controlled.php
-rw-r--r-- 1 root root 22163 2011-12-16 22:28 account_info.php
-rw-r--r-- 1 root root 22126 2011-12-16 22:27 account_info.php~
-rw-r--r-- 1 root root 16585 2011-12-16 21:32 acount_info.php
-rw-r--r-- 1 root root 0 2011-12-16 21:28 acount_info.php~
drwxrwxrwx 5 root root 4096 2011-12-09 23:03 banner
drwxrwxrwx 2 root root 4096 2011-12-09 23:03 css
And
a1a4a#A1A4a:~$ ls -l /var/www/banner
total 20
-rw--w---- 1 root root 2564 2011-11-25 20:51 banner.html
drwx-w---- 4 root root 4096 2011-12-09 23:03 examples
drwx-w---- 2 root root 4096 2011-12-09 23:03 lib
drwx-w---- 4 root root 4096 2011-12-09 23:03 skins
-rw--w---- 1 root root 1431 2011-11-25 20:51 style.css
This is my config :
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
My "nano /etc/apache2/apache2.conf" is set as default ...
How can i make all my /var/www files (folders and sub-folders and files ) accessible from my browser as if i was on a windows machine using Wamp ...
P.S: I will host the website on a Windows machine i am using ubuntu just for coding.
the user running the apache deamon, on ubuntu thats www-data (like in most debian based systems), needs at least read permissions for the files.
But as you posted only owner root and group root has read rights.
Actually owner root has rw group root has r.
So the user actually running the webserver (www-data) falls to the others permissions, which have none.
Either do a chmod -R o+r /var/www/banner/* or a chown -R www-data /var/www/banner to fix that.
I always forget that while the sub-directories and files need the read permission, the sub-directories also need execute permission.
chmod a+x banner
This tends to come up when I've saved a web page in the 'Webpage, Complete' format with Chrome or Firefox and am then trying to serve it under localhost, which I often do when building mockups for clients.
May be it is an issue with your banner.html permissions - apache`s user has no permissions even to read it.