Feature #105
closed"suphp" or "chroot per virtual host" or "open_base_dir" needed
Description
sorry for my poor English.
lighttpd is a nice work.
But there are security holes in php.
Some attackers write files in /tmp directory (and etc.) and execute it by using PHP application bugs.
So we have to restrict PHP can not write files beyond www-home directory.
PHP's "open_base_dir" option is somewhat protects those attack, and it works at virtual host with Apache.
lighttpd need ".htaccess" file which can override php options.
Or "suphp", "chroot with each vhost" could be annother solution.
I hope seeing it soon.
Updated by Anonymous about 19 years ago
The feature that can't be made to work with apache + php is running each virtual host as a different user and group in its own OS-level chroot.
This would offer a level of security for shared hosting that cannot currently be obtained, and enable each virtual host to be provided with a custom environment (including php.ini).
-- willmoy
Updated by Anonymous about 19 years ago
Different vhosts use different fastcgi php handlers (using sockets) - and those php handlers all use different rights that fit the current vhost. My Layout is like this:
- /var/www/
- /vhost1/
- /php/
- /php-wrapper.sh
- /php.ini
- /webroot/
- /php/
- /vhost2/
- /php/
- /php-wrapper.sh
- /php.ini
- /webroot/
- /php/
That allows me to have a different ini file for every vhost - with different open_basedir restrictions. Is this what you want? Yes, your integrated solution (chroot) would be even nicer, but maybe my solution can help you until there's a better way?
-- Benjamin Podszun
Updated by Anonymous over 17 years ago
yes! i have been wanting this too.
apache2+suphp is cool, when it works (had some issues)
i'd really like to use lighty w/ adaptive fastcgi spawning, and need to have some uid/gid configuration in the fastcgi.server config block (is what i am thinking?)
or perhaps just a chown/chgrp on the vhost level. or just a check of the file permissions and if file is above MIN_GID and MIN_UID then exec with those permissions (anything - PHP, CGIs, ...) i don't know why that isn't more popular/standard without addons in all servers! right now i am trying to do a lighttpd+suexec deal, but that still seems to rely on me knowing all the users and then configuring each vhost (which i wanted to use mod_simple_vhost) to assign the right fastcgi socket or port... which i can't do without some preliminary index or an include_shell script to generate a ton of "hardcoded" virtual host blocks, it looks like.
-- mike503
Updated by Anonymous almost 17 years ago
I hope to have
apache2+suphp+zend+xcache !
Updated by stbuehler over 16 years ago
- Status changed from New to Fixed
- Resolution set to invalid
Use http://cyanite.org/execwrap/ or some other wrapper.
Updated by Anonymous about 16 years ago
Replying to anonymous:
I hope to have
apache2+suphp+zend+xcache !
I've managed to get suphp and lighty. HowTo is here http://www.markgrenham.com/articles/howto_lighttpd_and_suphp
-- MGrenham
Updated by mike503 about 16 years ago
php-fpm resolves any needs for php-based per-user stuff. i've learned that since i posted here.
normal CGI, other SAPIs - no clue. but for PHP that's all you need. works better than spawn-fcgi too.
Also available in: Atom