1

I have a setup with many users, who can host their personal webpage (served by apache via mod_userdir), located under public_html in their homes. php support is also enabled in apache.

At the moment I have the following configuration in /etc/apache2/mods-enabled/userdir.conf

<IfModule mod_userdir.c>
        UserDir <home basedir>/*/public_html
        UserDir disabled root

    &lt;Directory &lt;home basedir&gt;/*/public_html&gt;
            AllowOverride FileInfo AuthConfig Limit Indexes Options
            Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
            &lt;Limit GET POST OPTIONS&gt;
                    Require all granted
            &lt;/Limit&gt;
            &lt;LimitExcept GET POST OPTIONS&gt;
                    Require all denied
            &lt;/LimitExcept&gt;
    &lt;/Directory&gt;



</IfModule>

The problem is that, since every php script is run by user www-data, each user page has permissions over every other users' public_html. For example, I can get a php reverse shell and inspect other users' content.

I have tried to add

php_admin_value open_basedir "."

inside the Directory tag above. This prevents the security hole described above, but actually only allows the php script to go down the directory hierarchy. For example

<?php
chdir('assets');
echo getcwd();
chdir('..');
echo "<br>";
echo getcwd();
?>

produces

<home>/public_html/assets
<home>/public_html/assets

The problem is solved if the <home>/public_html path is hardcoded in the open_basedir variable, but of course I need to be able to do this for all users via some variable. Does apache store the wildcard (<home basedir>/*/public_html) match in some variable that I can access inside the Directory tag? Or are any other better ways to do this, for instance running each user page in a chroot-like environment?

mvphys
  • 11

0 Answers0