httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mattias Segerdahl" <>
Subject [users@httpd] Running vhosts with php and virtual users
Date Mon, 29 May 2006 06:54:10 GMT
I'm experiencing difficulties using apache in the following environment. Is
there any good solution that would solve the security problems?

Server version: Apache/2.2.2
Server built:   May 14 2006 18:14:53
PHP 5.1.4 (cli) (built: May  5 2006 19:14:55)

Virtual users are stored under /home/web/domain.tld/username where users
have access to their directory using a ftpd with virtual accounts. All files
and directories are owned by a single system uid/gid.

Now, using this setup, users can access files and directories outside their
own home using php, this is something that I really need to prevent. I'd
like to chroot/jail them to their own directory. I could run a config parser
and set up <Directory> settings for each users having php_admin_value set
for open_basedir. But that seems to be a bit much.

Is there any other way to approach this problem?

Mattias Segerdahl
EMS IT- & Säkerhetslösningar

Påskbergatan 10, 41268 Göteborg
Telephone: +46-31-7034120
Cellular: +46-735-867626
Fax: +46-735-867626

Vi ber dig lägga märke till att detta e-postmeddelande kan innehålla
konfidentiell information. Om du felaktigt blivit mottagare av detta
meddelande, ber vi dig informera avsändaren om felet genom att använda
svar-funktionen. Vi ber dig också att radera e-postmeddelandet utan att
skicka det vidare eller kopiera det.
Trots att vi intygar att e-postmeddelandet och eventuella bilagor inte
innehåller virus och andra fel som kan påverka datorn eller IT-systemet där
det mottages och läses, öppnas det på mottagarens eget ansvar. Vi tar inte
på oss något ansvar för förlust eller skada, som har uppstått i samband med
att e-postmeddelandet mottagits och använts.

Please note that this message may contain confidential information. If you
have received this message by mistake, please inform the sender of the
mistake by sending a reply, then delete the message from your system without
making, distributing or retaining any copies of it.
Although we believe that the message and any attachments are free from
viruses and other errors that might affect the computer or IT system where
it is received and read, the recipient opens the message at his or her own
risk. We assume no responsibility for any loss or damage arising from the
receipt or use of this message.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message