Need help with htaccess and PHP

[mikewalterz]

Hello,
I am making a hosting script where users can upload files to it. It would automatically create a directory when you create an account for the user.

Now my question is, since the directory will be able to upload all kinds of files, is there some way in htaccess to make it so that php cant access outside that directory. (i know readfile() can view files outside their directory).

Is there any way to prevent the users from getting access outside their directories so that they cant mess up other users files.

Thanks for your time.
Mike

[Dan Grossman]

If you don't leave any holes in your script, they're not going to be able to get outside their directory... you prevent access by not providing it in the first place.

[mikewalterz]

But when you first make the directory automatically, it has to be 777 so that the users can access it right? (and so all the user directories are going to be 777).

If they are all 777 (so the user can upload/create/delete/etc), there has to be something to restrict them so they cant do stuff in other people's directories.

Thanks for your time

[Dan Grossman]

You mean other people with shell access to the server? Not your website users?

[clamcrusher]

if you want to allow them to upload php scripts, youre playing with a lot of fire.

creating apache virtualhosts and applying a php open_basedir restriction sounds kinda like what youre after. but theres many other possibilities you must consider.

[mikewalterz]

I mean that i am making a hosting script and so when a user signs up, the server will automatically create a directory for him.

For him to access that directory, he will need 777 since he didnt create it (i think). And so when lots of users create an account (directory), all will be 777.

This is not safe since any user could use readdir() to read other users directories and find their code and do other things. Is there any way to prevent this?

Thanks

[Dan Grossman]

So you're actually providing web hosting with full access to the user's directory.. in which case, you should be creating actual users on the server, and home directories owned by those users, which aren't accessible by other users.

[mikewalterz]

mm. ok and one last thing. Since php isn't safe, i was wondering if there was a way to completely restrict php from being uploaded or ftped or not run.

Any way to do this?

[Dan Grossman]

PHP isn't the only programming language your server has interpreters for. And restricting what types of files can be uploaded over FTP is not simple (we don't even know what FTP server you run) nor foolproof.

Why don't you just run one of those web hosting control panels that handles creating real users accounts and such properly?

[mikewalterz]

Im interested in experimenting with php and mysql. I want it to be able to run on a shared server (if need be) and so i was just wondering how to do these things.

Any feedback will help. Thanks.

Update: Right now im experimenting with php on cpanel.

[mikewalterz]

Hey thanks for all your help. I figured out how to do this. All i did was use php.ini to enable safe_mode and disable dangerous function like phpinfo(), etc.

Thanks again

[clamcrusher]

mikewalterz, i dont think you understand enough about unix filesystem permissons, webservers, and different scripting languages to do this.

safe_mode does NOT acheive what you just asked for.

[mikewalterz]

o mmm. Here was my php.ini file. Do you think it may stop bad scripts?

Code:

safe_mode = On
safe_mode_gid = On
disable_functions = "dl,phpinfo,shell_exec,passthru,exec,
			popen,system,proc_terminate,proc_close"
open_basedir = 1
max_execution_time = 30
error_reporting = E_ALL
display_errors = Off
display_startup_errors = Off
html_errors = Off
log_errors = On
error_log = /var/log/php/errors

Do i need anything else? Is it safe or not?

Thanks for your help.

[Dan Grossman]

No amount of changing your php configuration changes the fact that filesystem functions in any scripting language will access any file in any of your users' directories. You can't offer full-blown web hosting within a shared hosting account.