0

How do I restrict web access to parent folders of the main website directory. For example if I have the following directories/files:

/
├── home
│   └── user
│   │   ├── img.png
│   │   ├── script.js
│   │   └── page.html
└── var
    └── www
        └── index.html

and www.example.com points to /var/www/, I don't /var/www/index.html to be able to access any files outside, in this case, img.png, script.js, page.html.

A few extra notes:

  • I am using suPHP so I can't go around and change permissions/owners to restrict access.
  • suPHP does not work with htaccess files[1], so I can't go around and disable ../ for the top most folder(s) [2].
  • Symbolic links must also be ignored in case / is linked to in /var/www
puk
  • 285
  • 1
  • 6
  • 18

1 Answers1

1

It sounds like you need to enable the check_vhost_docroot option in order to ensure that the scripts is within DOCUMENT_ROOT:

check_vhost_docroot=true
quanta
  • 50,327
  • 19
  • 152
  • 213
  • Is this in the `/etc/suphp/suphp.conf` file? If so, would this also apply to, for example ` – puk Nov 07 '11 at 04:12
  • It would only apply to PHP scripts (that is, anything accessed by suPHP). Anything else accessed by Apache (not suPHP) is read using the webserver user permissions. – MV. Jun 17 '12 at 08:54