Apache+PHP环境上虚拟主机防被旁注
日期:2014-05-16 浏览次数:21067 次
Apache+PHP环境下虚拟主机防被旁注
IS环境下比较容易实现,可以通过独立“匿名访问账户” + NTFS权限来防止。
查了一下,Apache下类似IIS的独立虚拟主机账户的方案貌似不太好实现,但有一种更简单的方法:
就是在VirtualHost节中通过添加
php_admin_value open_basedir /data/wwwroot/www.xxxxx.com
来限制当前虚拟主机PHP的操作权限仅在/data/wwwroot/www.xxxx.com目录下。
我用Phpspy测试了一下,果然很有效,未加该限制时可以列出文件)。
注意:
因为Web服务器在处理文件上传时会用到系统的临时目录(对于Linux来说就是/tmp),所以还必须要有这个目录的操作权限才可以。
php_admin_value open_basedir支持同时设置多个目录,目录之前要用:分隔。完整如下:
php_admin_value open_basedir /data/wwwroot/www.redicecn.com/:/tmp/
来自于PHP官方的更多说明:http://www.php.net/manual/en/ini.core.php#ini.open-basedir www.chnhack.com
open_basedir stringLimit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.
When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it’s not possible to avoid this restriction with a symlink. If the file doesn’t exist then the symlink couldn’t be resolved and the filename is compared to (a resolved) open_basedir .
The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir().
In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with “php_admin_value open_basedir none“.
Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.
The restriction specified with open_basedir is a directory name since PHP 5.2.16 and 5.3.4. Previous versions used it as a prefix. This means that “open_basedir = /dir/incl” also allowed access to “/dir/include” and “/dir/incls” if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: open_basedir = /dir/incl/
The default is to allow all files to be opened.
Note:
As of PHP 5.3.0 open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set(). When listing several directories, you can use the PATH_SEPARATOR
另外看到了另外一种设置临时目录的方法: http://brandonwamboldt.ca/multiple-directories-w-php-open_basedir-540/
php_admin_value open_basedir /var/www/vhosts/saebermedia.com
php_admin_value upload_tmp_dir /var/www/vhosts/saebermedia.com/.tmp
IS环境下比较容易实现,可以通过独立“匿名访问账户” + NTFS权限来防止。
查了一下,Apache下类似IIS的独立虚拟主机账户的方案貌似不太好实现,但有一种更简单的方法:
就是在VirtualHost节中通过添加
php_admin_value open_basedir /data/wwwroot/www.xxxxx.com
来限制当前虚拟主机PHP的操作权限仅在/data/wwwroot/www.xxxx.com目录下。
我用Phpspy测试了一下,果然很有效,未加该限制时可以列出文件)。
注意:
因为Web服务器在处理文件上传时会用到系统的临时目录(对于Linux来说就是/tmp),所以还必须要有这个目录的操作权限才可以。
php_admin_value open_basedir支持同时设置多个目录,目录之前要用:分隔。完整如下:
php_admin_value open_basedir /data/wwwroot/www.redicecn.com/:/tmp/
来自于PHP官方的更多说明:http://www.php.net/manual/en/ini.core.php#ini.open-basedir www.chnhack.com
open_basedir stringLimit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.
When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it’s not possible to avoid this restriction with a symlink. If the file doesn’t exist then the symlink couldn’t be resolved and the filename is compared to (a resolved) open_basedir .
The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir().
In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with “php_admin_value open_basedir none“.
Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.
The restriction specified with open_basedir is a directory name since PHP 5.2.16 and 5.3.4. Previous versions used it as a prefix. This means that “open_basedir = /dir/incl” also allowed access to “/dir/include” and “/dir/incls” if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: open_basedir = /dir/incl/
The default is to allow all files to be opened.
Note:
As of PHP 5.3.0 open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set(). When listing several directories, you can use the PATH_SEPARATOR
另外看到了另外一种设置临时目录的方法: http://brandonwamboldt.ca/multiple-directories-w-php-open_basedir-540/
php_admin_value open_basedir /var/www/vhosts/saebermedia.com
php_admin_value upload_tmp_dir /var/www/vhosts/saebermedia.com/.tmp
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
