views:

342

answers:

4

For my web hosting panel, users need to be blocked from accessing files outside their own directory (/var/www/u/s/username). I tried to use this line in httpd.conf to prevent people from going up a directory.

php_admin_value open_basedir .:/usr/lib/php5

But in php.ini, it seems to have no effect. What am I doing wrong?

A: 
  1. As far as I can tell, it's not in path format it has to be just one directory;
  2. Using "." with open_basedir makes no sense at all, "." is allways the current directory. You can chdir('/wherever/you/want'), having "." expanded as /wherever/you/want
vartec
A webhost I used to moderate used this type of restriction. It works, although it prevents a few scripts from working. I use mod_vhost_alias so I can't just add a different open_basedir for each user. Is there a better way of doing this?
I tested it on another server, and it won't let me chdir out of the open_basedir allowed paths.
A: 

Most probably you're modifying the wrong "php.ini".

Milen A. Radev
I'm putting it in the main httpd.conf (the right one :) ). I can't put it in php.ini because I have 2 Apache instances running of the same binary, and they need to have different configurations.
In this case the description of your problem doesn't make sense - on one hand it works if put in httpd.conf and doesn't work when in php.ini. But on the other hand you can't put it in the php.ini anyway. So what's your problem?
Milen A. Radev
It does NOT work in the httpd.conf. Sorry for not making that clear.
Create a script with only a call to "phpinfo()" in it and put it where the other "restricted" scripts should reside. Open it in the browser and check what's the value of "open_basedir".
Milen A. Radev
+1  A: 

It might be a silly suggestion, but have you restarted the webserver after making the php.ini changes?

Another method you might try using is to append a file using the "auto_prepend_file" directive to include a script to tighten up the open_basedir directive to the current users directory:

From PHP.net (http://www.php.net/manual/en/ini.sect.safe-mode.php)

As of PHP 5.3.0 open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set()

ADDITIONAL SUGGESTION:

The Apache configuration will need to be set up properly for INI overrides to be effective. Ensure that you have "AllowOverride Options" or "AllowOverride All" set in the Apache config for your Server or Virtual Host.

http://us2.php.net/configuration.changes

http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride

PHPexperts.ca
+1  A: 

You may need to add a line for each user Directory:

<Directory /var/www/u/s/username>
php_admin_value open_basedir "/var/www/u/s/username/:/shared/path/"
</Directory>

Note that the trailing slash is here to prevent user "username" from accessing a "username2" directory.

Julien Tartarin