Jump to content

VSFTP Question

Pioden

By Pioden
in Linux

 Share

Recommended Posts

Pioden Member

Pioden

Posted
Posted

Hi folks,

 

Before the question here's the background. I have a litte PHP app which has many users. The code is stored in a directory in my own home directory. The other users access the files through a sym link which I put in their home directories. The system works great :-)

 

However I'd like to stop users from being able to download my code through FTP. At the moment they are chrooted to their own home directories BUT the sym link means that they can download my code :-( How can I secure the code directory so that only one user (me!) can access the files over FTP.

 

TIA

 

Huw

PS - If you haven't guessed I'm using VSFTPd.

Link to comment
https://forums.phpfreaks.com/topic/131475-vsftp-question/
Share on other sites
corbin Regular Member

corbin

Posted
Posted

Yeah, and after you delete the symlink, just make it an alias in Apache if you want them to still have access.

 

Either that or you could place it within php's include_path and give them access that way, if its just some sort of framewrok or something.

 

 

Couldn't they technically download it then?

 

 

I think it's something they all have in common -- like a control panel or something -- that they access from their website.  like website1.com/something website2.com/something.

Link to comment
https://forums.phpfreaks.com/topic/131475-vsftp-question/#findComment-683238
Share on other sites
trq Prolific Member

trq

Posted
Posted
Couldn't they technically download it then?

 

No. All that means is that they could use (include*/require*) to use the libraries.

 

Of course they could also see where the files are stored by looking at get_include_path(), and from there they could attempt to copy the files. But with the correct permssions that's still a long shot.

 

Its pretty hard to tell what the OP is actually describing, but either solution should work depending on the requirements.

Link to comment
https://forums.phpfreaks.com/topic/131475-vsftp-question/#findComment-683292
Share on other sites
corbin Regular Member

corbin

Posted
Posted

"Of course they could also see where the files are stored by looking at get_include_path(), and from there they could attempt to copy the files. But with the correct permssions that's still a long shot."

 

 

 

Wouldn't the permissions be right for copying though?  If they have access to read the file to include it, wouldn't they have the ability to read it to copy it?  Does PHP not include and fopen as the same user?

Link to comment
https://forums.phpfreaks.com/topic/131475-vsftp-question/#findComment-683344
Share on other sites
Pioden Member

Pioden

Posted
  • Author
Posted

Hi again. Sorry not to come back to this thread earlier but I needed to test some of the ideas suggested.

 

The shared resource is a multi-language CMS I've been writing. I want my clients to access a shared admin directory so that bug fixes/features are rolled out to them all at the same time.

 

Running an Alias to the admin dir (Alias /admin /var/www/html/masteraccount/admin ) almost works. The problem seems to be that it can find some required files but not others. I've modded the original (working) code but  it still doesn't work as expected. Each user has a config (and functions) file in their doc roots but the session file is in the 'admin' space. My system of requiring certain files now seems to fail - but I'm not absolutely shure why!!! The alias redirection seems to have a different effect to a sym link! Any ideas?

 

I'm using this code to 'require' files:

$doc_root = $_SERVER['DOCUMENT_ROOT'];
$serv_root = $_SERVER['SERVER_NAME'];
require_once("http://$serv_root/admin/session.php");
require_once("$doc_root/config.php");
require_once("$doc_root/functions.php");

 

The kind of odd thing I'm getting is this

"Fatal error: Call to undefined function filter128() in /var/www/html/masteraccount/admin/session.php on line 83"

 

The function is included in functions.php(!) and the requirement doesn't fail - so it should be there!! Weird.

Link to comment
https://forums.phpfreaks.com/topic/131475-vsftp-question/#findComment-686601
Share on other sites
corbin Regular Member

corbin

Posted
Posted

require_once("http://$serv_root/admin/session.php");

 

Oh gosh....  I hate explaining this one, but here it goes:

 

 

 

When you include a file over the HTTP protocol, the webserver does what it's supposed to do and does it's voodoo magic on it, in this case, the webserver parses the file before serving it.

 

 

So, if I were to do the following:

 

file1.php

<?php
include 'http://somehost.com/file2.php';

 

file2.php

<?php
function blah() {

}

 

 

The PHP file file2.php would be returned empty to the first script since when file2.php was processed by php it wouldn't output anything.

Link to comment
https://forums.phpfreaks.com/topic/131475-vsftp-question/#findComment-687241
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.