PHP - 每个虚拟主机都有一个不同的 open_basedir
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2781185/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP - a different open_basedir per each virtual host
提问by Lopoc
I've came across on this problem, I have a sever running apache and php. We have many virtual hosts but we've noticed that a potentially malicious user could use his web space to browse other user's files(via a simple php script) and even system files, this could happens due to the php permissions. A way to avoid it is to set the open_basedir var in php.ini, yhis is very simple in a single host system, but in case of virtual hosts there would be a basebir per each host.
我遇到过这个问题,我有一台运行 apache 和 php 的服务器。我们有很多虚拟主机,但我们注意到一个潜在的恶意用户可以使用他的网络空间来浏览其他用户的文件(通过一个简单的 php 脚本)甚至系统文件,这可能是由于 php 权限而发生的。避免它的一种方法是在 php.ini 中设置 open_basedir var,yhis 在单个主机系统中非常简单,但在虚拟主机的情况下,每个主机都有一个 basebir。
Ho can I set dis basedir per each user/host? is there a way to let apache hereditate php privileges of the php file that has been requested
我可以为每个用户/主机设置 dis basedir 吗?有没有办法让apache继承被请求的php文件的php权限
E.G. /home/X_USER/index.php has as owner X_USER, when apache read the file index.php it checks its path and owner, simply I'm looking for a system set php basedir variable to that path.
EG /home/X_USER/index.php 作为所有者 X_USER,当 apache 读取文件 index.php 时,它会检查其路径和所有者,只是我正在寻找一个系统设置 php basedir 变量到该路径。
Thank in advance Lopoc
提前致谢 Lopoc
回答by Pekka
It is possible to set open_basediron a per-directory basis using the php_admin_valueApache directive.
可以open_basedir使用php_admin_valueApache 指令在每个目录的基础上进行设置。
Example from the manual:
手册中的示例:
<Directory /docroot>
php_admin_value open_basedir /docroot
</Directory>
Re your comment:yes, external commands are not affected by open_basedir- when calling ls /this is done with the rights the user account PHP runs under (often named wwwor similar). As far as I know, it is not possible to extend open_basedirto external commands.
回复您的评论:是的,外部命令不受open_basedir- 调用时ls /使用 PHP 运行的用户帐户(通常命名www或类似)的权限完成。据我所知,不可能扩展open_basedir到外部命令。
In that case, I don't think the kind of protection that you're looking for is possible in a normal Apache/PHP setup. The only thing that maybe comes close is running Apache in a chroot jail. I haven't done this myself so I can't say anything about it - you'd have to dig in and maybe ask a question specifically about that.
在这种情况下,我认为在正常的 Apache/PHP 设置中不可能提供您正在寻找的那种保护。唯一可能接近的是在 chroot jail 中运行 Apache。我自己没有做过这件事,所以我不能说任何事情——你必须深入研究,也许会专门问一个问题。
回答by AllenJB
You can set many php.ini settings using the Apache configuration file.
您可以使用 Apache 配置文件设置许多 php.ini 设置。
See these related pages from the PHP manual: - http://php.net/manual/en/configuration.changes.php- http://www.php.net/manual/en/ini.core.php#ini.sect.path-directory- http://www.php.net/manual/en/configuration.changes.modes.php
请参阅 PHP 手册中的这些相关页面: - http://php.net/manual/en/configuration.changes.php- http://www.php.net/manual/en/ini.core.php#ini。 sect.path-directory- http://www.php.net/manual/en/configuration.changes.modes.php
回答by CplusHua
chroot is a good idea. And now docker is more effective.
chroot 是个好主意。现在 docker 更有效。
and open_basedir with "/docroot" is not security ,you should end with a "/" or PHP can access /docroot1
并且带有“/docroot”的 open_basedir 不安全,您应该以“/”结尾,否则 PHP 可以访问 /docroot1
