Im making sort of a service where people can upload PHP files and they get their own directory.
Is there a way to prevent any way the PHP can access the root of the server? and just stay in the bounderies of its folder?
The open_basedir directive does just that :
Limit the files that can be opened by
PHP to the specified directory-tree,
including the file itself.
The most secure would be to chroot Apache and PHP.
Related
We currently have a mutltisite setup of more than 20 sudomains for customers.
The same codebase is used for all sites, let's just say it is located in the folder /srv/code.
Apache's root directory points to it as well.
Now we have to create a folder under /var/www/subdomain for each subdomain and put a configuration file called config.ini there.
How do I tell Apache now when the PHP script searches for the file config.ini that it can find it here: /var/www/subdomain ?
And is it the best solution ever?
Is this a shared host? If yes, you should first check if a script inside /srv/code is allowed to access a file in /var/www/subdomain.
You can extract the domain the current script was called via from $_SERVER['SERVER_NAME']. You can then use this information to extract the subdomain from it and access the config.ini in the correct directory.
This is probably easier then doing it in Apache.
I just made a mistake in a PHP application I'm developing with WAMP Server.
My WAMP / WWW folder is inside my D:\ disk, where I also have my personal data. My app, due to a fail in generating a dynamic path, deleted all my music, my photos and other personal files I had.
I mean... WHAT? How was it possible? I will need a recovery tool to recover that data.
How can keep the PHP from touching anything outside it's folder in www so it does not happen again? It's a disaster.
Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself.
http://php.net/manual/en/ini.core.php#ini.open-basedir
Use open_basedir to restrict file operations to within specific directories, like this (in the website's VirtualHost file)...
php_admin_value open_basedir "C:/WampDeveloper/Temp/;C:/WampDeveloper/Websites/www.example.com/webroot/"
Though if you are deleteing via the command line or bat file (e.g., you are not using PHP file functions directly), the only way to fix this is to set Apache to run under a custom account that only has permissions set on WAMP's folder.
I have got directories like /www/site1 and /www/site2 on my server. I would like to prevent files in site1 from executing things like:
include("../site2/configuration.php");
I need the directories to be completely independent.
Run PHP as a user other then the web server user and set the permissions on the directories and files so they can only be access by the owner (chmod 700).
You can use open_basedir php.ini directive.
can php require any php file in my pc?
I set the apache www root folder to be d:\phpnow\htdocs, I thought that php can only require php files under this folder before ,such as require('laji/hello/a.php');
today I found it php can load any php file in my PC ,only need the full path.
how to prevent ? it should not safe for web server.
can php require any php file in my pc?
Any file that the user whom the PHP program runs as has permission to access. (That is to say, filesystem permissions).
how to prevent?
Limit the permissions on the file system or chroot the server so it runs in a sandboxed environment. (I've no idea if chrooting is possible on Windows)
it should not safe for web server.
It is perfectly safe unless either:
You allow untrusted users to install their own PHP programs on your PC (but see also What do you recommend for setting up a shared server with php)
You allow file paths on your filesystem to be selected via unfiltered user input
PHP can include any file on the server within its jailed limits, if any. In this case your computer is the server. It's not a security issue, since a remote server has no way of accessing your file system.
You can deny access to a directory using .htaccess file since you run php with Apache.
If you want to block direct access to the whole includes folder, you can put a .htaccess file (the file has only extension, and no filename. You may use notepad to type code and save it as ".htaccess" with quotes, called absolute naming) in that folder that contains;
deny from all
If you want to disable directory listing, here is a tutorial:
Directory listing in htaccess. Allow, Deny, Disable, Enable Directory Listing in .htaccess
and you may refer this Stack Overflow question .htaccess deny access to folder
Just Google for folder access deny using htaccess and you can find lots of stuff.
I have a project where Red5 is recording videos. I need PHP to be able to access the videos and move them so they can be accessed by HTML.
How can I do this?
I found this post: Accessing files outside the document root with Apache
But it involves updating some file that was never specified. And I'm not sure it is a viable solution in this case anyway.
lee
PHP by default can already access files outside the web root, unless restricted with an open_basedir directive (or safe mode, but hope you're not in that cage).
It's normally a good practice to insert within a VirtualHost configuration an open_basedir restriction. You can specify multiple directories separated by : on Linux and ; on windows.
php_admin_value open_basedir /var/www/s/stage:/usr/share/php:/your/dir
To access those files either use an absolute path or a path relative to the position of the PHP file called. (So you'll have to ../ to reach levels above).
Also be sure that directories in which you want to write to are assigned to the webserver user and have write permission.