I have a setup with many users, who can host their personal webpage (served by apache via mod_userdir), located under public_html in their homes. php support is also enabled in apache.
At the moment I have the following configuration in /etc/apache2/mods-enabled/userdir.conf
<IfModule mod_userdir.c>
UserDir <home basedir>/*/public_html
UserDir disabled root
<Directory <home basedir>/*/public_html>
AllowOverride FileInfo AuthConfig Limit Indexes Options
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Require all granted
</Limit>
<LimitExcept GET POST OPTIONS>
Require all denied
</LimitExcept>
</Directory>
</IfModule>
The problem is that, since every php script is run by user www-data, each user page has permissions over every other users' public_html. For example, I can get a php reverse shell and inspect other users' content.
I have tried to add
php_admin_value open_basedir "."
inside the Directory tag above. This prevents the security hole described above, but actually only allows the php script to go down the directory hierarchy. For example
<?php
chdir('assets');
echo getcwd();
chdir('..');
echo "<br>";
echo getcwd();
?>
produces
<home>/public_html/assets
<home>/public_html/assets
The problem is solved if the <home>/public_html path is hardcoded in the open_basedir variable, but of course I need to be able to do this for all users via some variable.
Does apache store the wildcard (<home basedir>/*/public_html) match in some variable that I can access inside the Directory tag? Or are any other better ways to do this, for instance running each user page in a chroot-like environment?
