PHP - 每个每个虚拟主机不同的open_basedir [英] PHP - a different open_basedir per each virtual host

问题描述

喜
我碰到这个问题，我有一个断绝运行的Apache和PHP。我们有很多虚拟主机，但我们注意到一个潜在恶意用户可以使用他的网络空间浏览其他用户的文件（通过一个简单的PHP脚本），甚至系统文件，这可能是由于PHP的权限发生。
避免它的方法是设置php.ini中的open_basedir的VAR，yhis是在单一主机系统很简单，但在虚拟主机的情况下，将有每每台主机一个basebir。

Hi I've came across on this problem, I have a sever running apache and php. We have many virtual hosts but we've noticed that a potentially malicious user could use his web space to browse other user's files(via a simple php script) and even system files, this could happens due to the php permissions. A way to avoid it is to set the open_basedir var in php.ini, yhis is very simple in a single host system, but in case of virtual hosts there would be a basebir per each host.

浩我可以设置每个用户的每一个/ DIS主机BASEDIR？有没有办法让已请求php文件的阿帕奇hereditate PHP权限

Ho can I set dis basedir per each user/host? is there a way to let apache hereditate php privileges of the php file that has been requested

例如。
/home/X_USER/index.php具有作为所有者X_USER，当Apache读取index.php文件它会检查其路径和所有者，只是我在寻找一个系统中设置PHP的basedir变量的路径。

E.G. /home/X_USER/index.php has as owner X_USER, when apache read the file index.php it checks its path and owner, simply I'm looking for a system set php basedir variable to that path.

感谢提前
Lopoc

Thank in advance Lopoc

推荐答案

这是可以使用设置的open_basedir 在每个目录基础上 php_admin_value 的Apache。

It is possible to set open_basedir on a per-directory basis using the php_admin_value Apache directive.

从手动例如：

<Directory /docroot>
  php_admin_value open_basedir /docroot 
</Directory>

回复您的评论：是，外部命令不受的open_basedir - 打电话时 LS / 这是与权下（通常命名为 WWW 或类似）做PHP运行的用户帐户。据我所知，这是不可能延长的open_basedir 外部命令。

Re your comment: yes, external commands are not affected by open_basedir - when calling ls / this is done with the rights the user account PHP runs under (often named www or similar). As far as I know, it is not possible to extend open_basedir to external commands.

在这种情况下，我不认为你要找的是可能在正常的Apache / PHP设置的一种保护。也许接近的唯一事情是在chroot jail 运行Apache 。我没有这样做我自己，所以我不能说什么 - 你必须在挖，也许专门请教一个问题关于

In that case, I don't think the kind of protection that you're looking for is possible in a normal Apache/PHP setup. The only thing that maybe comes close is running Apache in a chroot jail. I haven't done this myself so I can't say anything about it - you'd have to dig in and maybe ask a question specifically about that.

这篇关于PHP - 每个每个虚拟主机不同的open_basedir的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！