SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Member
    Join Date
    Nov 2006
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Need help with htaccess and PHP

    Hello,
    I am making a hosting script where users can upload files to it. It would automatically create a directory when you create an account for the user.

    Now my question is, since the directory will be able to upload all kinds of files, is there some way in htaccess to make it so that php cant access outside that directory. (i know readfile() can view files outside their directory).

    Is there any way to prevent the users from getting access outside their directories so that they cant mess up other users files.

    Thanks for your time.
    Mike

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    If you don't leave any holes in your script, they're not going to be able to get outside their directory... you prevent access by not providing it in the first place.

  3. #3
    SitePoint Member
    Join Date
    Nov 2006
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But when you first make the directory automatically, it has to be 777 so that the users can access it right? (and so all the user directories are going to be 777).

    If they are all 777 (so the user can upload/create/delete/etc), there has to be something to restrict them so they cant do stuff in other people's directories.

    Thanks for your time

  4. #4
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You mean other people with shell access to the server? Not your website users?

  5. #5
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    if you want to allow them to upload php scripts, youre playing with a lot of fire.

    creating apache virtualhosts and applying a php open_basedir restriction sounds kinda like what youre after. but theres many other possibilities you must consider.

  6. #6
    SitePoint Member
    Join Date
    Nov 2006
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I mean that i am making a hosting script and so when a user signs up, the server will automatically create a directory for him.

    For him to access that directory, he will need 777 since he didnt create it (i think). And so when lots of users create an account (directory), all will be 777.

    This is not safe since any user could use readdir() to read other users directories and find their code and do other things. Is there any way to prevent this?

    Thanks

  7. #7
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    So you're actually providing web hosting with full access to the user's directory.. in which case, you should be creating actual users on the server, and home directories owned by those users, which aren't accessible by other users.

  8. #8
    SitePoint Member
    Join Date
    Nov 2006
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    mm. ok and one last thing. Since php isn't safe, i was wondering if there was a way to completely restrict php from being uploaded or ftped or not run.

    Any way to do this?

  9. #9
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    PHP isn't the only programming language your server has interpreters for. And restricting what types of files can be uploaded over FTP is not simple (we don't even know what FTP server you run) nor foolproof.

    Why don't you just run one of those web hosting control panels that handles creating real users accounts and such properly?

  10. #10
    SitePoint Member
    Join Date
    Nov 2006
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Im interested in experimenting with php and mysql. I want it to be able to run on a shared server (if need be) and so i was just wondering how to do these things.

    Any feedback will help. Thanks.

    Update: Right now im experimenting with php on cpanel.

  11. #11
    SitePoint Member
    Join Date
    Nov 2006
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey thanks for all your help. I figured out how to do this. All i did was use php.ini to enable safe_mode and disable dangerous function like phpinfo(), etc.

    Thanks again

  12. #12
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    mikewalterz, i dont think you understand enough about unix filesystem permissons, webservers, and different scripting languages to do this.

    safe_mode does NOT acheive what you just asked for.

  13. #13
    SitePoint Member
    Join Date
    Nov 2006
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    o mmm. Here was my php.ini file. Do you think it may stop bad scripts?

    Code:
    safe_mode = On
    safe_mode_gid = On
    disable_functions = "dl,phpinfo,shell_exec,passthru,exec,
    			popen,system,proc_terminate,proc_close"
    open_basedir = 1
    max_execution_time = 30
    error_reporting = E_ALL
    display_errors = Off
    display_startup_errors = Off
    html_errors = Off
    log_errors = On
    error_log = /var/log/php/errors
    Do i need anything else? Is it safe or not?

    Thanks for your help.

  14. #14
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    No amount of changing your php configuration changes the fact that filesystem functions in any scripting language will access any file in any of your users' directories. You can't offer full-blown web hosting within a shared hosting account.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •