Securing PHP via open_basedir based on script path

security ubuntu php php-fpm

I have several users running PHP scripts on a server and I'd like to lock it down so that their scripts can only access files in their www directory (it doesn't use linux user accounts, so there isn't a home directory).

open_basedir seems like the obvious choice but how can I set that parameter based on where the script is running from? Obviously the value for open_basedir would be different for each user.

I'm running PHP5-FPM - PHP5 as a FastCGI process which nginx connects to - on Ubuntu 11.04

Any help or advice appreciated!


Solution 1:

I've discovered the solution - php.ini directives based on the file path or request host. From the documentation:

[HOST=dev.site.com]
open_basedir = /var/www/dev.site.com

or

[PATH=/var/www/dev.site.com]
open_basedir = /var/www/dev.site.com

Solution 2:

Assuming you're using Apache, you should be able to set it within each VirtualHost instance with:-

php_admin_value open_basedir /path/to/restrict/to

Resist the temptation to use ., as the user can still change directory with chdir.

http://php.net/manual/en/ini.core.php has a bit more information, too.

Related

HP Procurve 2512/2524 protected port, source port filter or similar?
How to grep httpd error_log within a time range?
Enabling phar on Dreamhost shared hosting?
Change update strategy of CoreOS machine
Confusion about Microsoft Exchange 2013 RTM .ISO and Cumulative Updates
Why can't IIS read Web.config within a folder created by Bash on Windows?
Is this a case of a stale ISP DNS cache or did I fudge something up?
Ability to nudge windows using shortcut keys in Windows 7?
Both Ctrl keys are not working on my laptop
Credential Manager Wildcard Credential with DNS Suffix in Adapter Setting
Bridged Network: No IP address on Guest OS
How to run a single X11 application on a Raspberry PI?