1

I have a setup with many users, who can host their personal webpage (served by apache via mod_userdir), located under public_html in their homes. php support is also enabled in apache.

At the moment I have the following configuration in /etc/apache2/mods-enabled/userdir.conf

<IfModule mod_userdir.c>
        UserDir <home basedir>/*/public_html
        UserDir disabled root

        <Directory <home basedir>/*/public_html>
                AllowOverride FileInfo AuthConfig Limit Indexes Options
                Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
                <Limit GET POST OPTIONS>
                        Require all granted
                </Limit>
                <LimitExcept GET POST OPTIONS>
                        Require all denied
                </LimitExcept>
        </Directory>
</IfModule>

The problem is that, since every php script is run by user www-data, each user page has permissions over every other users' public_html. For example, I can get a php reverse shell and inspect other users' content.

I have tried to add

php_admin_value open_basedir "."

inside the Directory tag above. This prevents the security hole described above, but actually only allows the php script to go down the directory hierarchy. For example

<?php
chdir('assets');
echo getcwd();
chdir('..');
echo "<br>";
echo getcwd();
?>

produces

<home>/public_html/assets
<home>/public_html/assets

The problem is solved if the <home>/public_html path is hardcoded in the open_basedir variable, but of course I need to be able to do this for all users via some variable. Does apache store the wildcard (<home basedir>/*/public_html) match in some variable that I can access inside the Directory tag? Or are any other better ways to do this, for instance running each user page in a chroot-like environment?

0 Answers0