PHP - 每个虚拟主机都有一个不同的 open_basedir [英] PHP - a different open_basedir per each virtual host

问题描述

我遇到过这个问题，我有一台运行 apache 和 php 的服务器.我们有很多虚拟主机，但我们注意到一个潜在的恶意用户可以使用他的网络空间来浏览其他用户的文件(通过一个简单的 php 脚本)甚至系统文件，这可能是由于 php 权限而发生的.避免它的一种方法是在 php.ini 中设置 open_basedir var，yhis 在单个主机系统中非常简单，但在虚拟主机的情况下，每个主机都会有一个 basebir.

I've came across on this problem, I have a sever running apache and php. We have many virtual hosts but we've noticed that a potentially malicious user could use his web space to browse other user's files(via a simple php script) and even system files, this could happens due to the php permissions. A way to avoid it is to set the open_basedir var in php.ini, yhis is very simple in a single host system, but in case of virtual hosts there would be a basebir per each host.

我可以为每个用户/主机设置 dis basedir 吗?有没有办法让apache继承被请求的php文件的php权限

Ho can I set dis basedir per each user/host? is there a way to let apache hereditate php privileges of the php file that has been requested

E.G./home/X_USER/index.php 作为所有者 X_USER，当 apache 读取文件 index.php 时，它会检查其路径和所有者，只是我正在寻找一个系统设置 php basedir 变量到该路径.

E.G. /home/X_USER/index.php has as owner X_USER, when apache read the file index.php it checks its path and owner, simply I'm looking for a system set php basedir variable to that path.

提前致谢洛波克

推荐答案

可以使用 php_admin_value Apache 指令在每个目录的基础上设置 open_basedir.

It is possible to set open_basedir on a per-directory basis using the php_admin_value Apache directive.

手册中的示例:

<Directory /docroot>
  php_admin_value open_basedir /docroot 
</Directory>

请回复您的评论:是的，外部命令不受 open_basedir 的影响 - 在调用 ls/ 时，这是通过用户权限完成的PHP 运行帐户(通常命名为 www 或类似名称).据我所知，不可能将 open_basedir 扩展到外部命令.

Re your comment: yes, external commands are not affected by open_basedir - when calling ls / this is done with the rights the user account PHP runs under (often named www or similar). As far as I know, it is not possible to extend open_basedir to external commands.

在那种情况下，我认为在正常的 Apache/PHP 设置中不可能提供您正在寻找的那种保护.唯一可能接近的是在 chroot jail 中运行 Apache.我自己没有做过这件事，所以我不能说什么 - 你必须深入研究，也许可以专门问一个问题.

In that case, I don't think the kind of protection that you're looking for is possible in a normal Apache/PHP setup. The only thing that maybe comes close is running Apache in a chroot jail. I haven't done this myself so I can't say anything about it - you'd have to dig in and maybe ask a question specifically about that.

这篇关于PHP - 每个虚拟主机都有一个不同的 open_basedir的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！