By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,643 Members | 1,797 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,643 IT Pros & Developers. It's quick & easy.

multi-user php setup problem

P: n/a
Hi
I have built a free-php-space website, after the user is
registered, he will have 100MB php space. the server is linux+apache.
The location of the user's file is in:

/phpspace/<username>

My problem is : if user A is uploaded a php file, user A can use php
to read user B directory. How can i isolate them?
That mean if there is php file in /phpspace/usera/index.php, how can i
make it can read the directory phpspace/usera only?

thanks
from Peter (cm****@hotmail.com)

Feb 8 '07 #1
Share this Question
Share on Google+
5 Replies


P: n/a
cm****@hotmail.com wrote:
My problem is : if user A is uploaded a php file, user A can use php
to read user B directory. How can i isolate them?
That mean if there is php file in /phpspace/usera/index.php, how can i
make it can read the directory phpspace/usera only?
Simply use umask or force files to have specific access rights:

user not in group www,
web server user in group www,
files group: www,
files mode: rw-r----- (640).

Simple - user won't be able to read...

And for a more secure option man chroot (use apaches virtualhost directive).

Safe mode might help as well.

--
Cz.
Feb 8 '07 #2

P: n/a
Hi
I have built a free-php-space website, after the user is
registered, he will have 100MB php space. the server is linux+apache.
The location of the user's file is in:

/phpspace/<username>

My problem is : if user A has uploaded a php file, user A can use php
to read user B directory. How can i isolate them?
You can't. In fact, it is not user A who put the file there. Uploading
works as follows: The file sent by the browser is put in the server's
temp directory. From there, you use the move_uploaded_file() function to
put it in, say /phpspace/usera/. It is the webserver-system-user (such
as "apache") who put the file in that directory.
That mean if there is php file in /phpspace/usera/index.php, how can i
make it can read the directory phpspace/usera only?
If /phpspace/usera/ is publicly visible (from the browser, I mean), then
everyone can access the file. Therefore, it is better to put these user
directories outside the webroot. In that case, only the server can reach
them, and you can do any user management in PHP.

Best regards
Feb 8 '07 #3

P: n/a
cm****@hotmail.com wrote:
Hi
I have built a free-php-space website, after the user is
registered, he will have 100MB php space. the server is linux+apache.
The location of the user's file is in:

/phpspace/<username>

My problem is : if user A is uploaded a php file, user A can use php
to read user B directory. How can i isolate them?
That mean if there is php file in /phpspace/usera/index.php, how can i
make it can read the directory phpspace/usera only?

thanks
from Peter (cm****@hotmail.com)
Try asking in alt.apache.configuration. You can limit access through
your apache config file.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 8 '07 #4

P: n/a
On 2月8日, 下午5時43分, Czapi <c....@ask.mewrote:
cmk...@hotmail.com wrote:
My problem is : if user A is uploaded a php file, user A can use php
to read user B directory. How can i isolate them?
That mean if there is php file in /phpspace/usera/index.php, how can i
make it can read the directory phpspace/usera only?

Simply use umask or force files to have specific access rights:

user not in group www,
web server user in group www,
files group: www,
files mode: rw-r----- (640).

Simple - user won't be able to read...

And for a more secure option man chroot (use apaches virtualhost directive).

Safe mode might help as well.

--
Cz.
Hi Cz
My english is too bad, so let you misunderstand. I think virtual
host doesn't help, because they are all in the same virtual host.
Let me try to explain my question again: I have a website
myhost.mydomain.com, there are two php files:
http://myhost.mydomain.com/usera/a.php
http://myhost.mydomain.com/userb/b.php
suppose a.php is located in /usera/a.php.
How can i make a.php can only fread() it's own directory, rather than
the whole harddisk.

thanks
from Peter (cm****@hotmail.com)

Feb 9 '07 #5

P: n/a
cmk128 wrote:
I have built a free-php-space website, after the user is
registered, he will have 100MB php space.
What you say that the user is registered, do you mean they are set up as a
real user on your server, with an entry in "/etc/passwd"? If so, then
PHP's "safe mode" is your friend.

If not, then you're using a "homebrewed" idea of what a user is, so you're
probably going to have to use some homebrewed protection, probably
involving chroot.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/CSS/Javascript/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!
Feb 9 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.