Jump to content

restrict access to root folder


deansatch

Recommended Posts

I have given someone ftp access to a folder which is placed at the root. Obviously if he wanted to, he could access all the main site files at the root by doing a simple include(../private-stuff.php); or even go as far as writing a script that deletes all the files in the root.

 

Is there a way I can restrict access so he can only include files from within his directory and he can't delete or read any files in the root? Possibly not a php solution but maybe using htaccess?

Link to comment
Share on other sites

I'm still struggling to find an answer for this that works. Basically, I want to stop files from within directoy www.site.com/limitedperson/ accessing files in root (www.site.com/) i.e. disallow include(), require(), fopen() etc...

 

e.g. If they create a file: site.com/limitedperson/get_access.php and put within that file:

<?php include('../index.php'); ?>

I want it to fail - "access denied" - rather than showing the index page that they shouldn't have access to.

Link to comment
Share on other sites

I'm still struggling to find an answer for this that works. Basically, I want to stop files from within directoy www.site.com/limitedperson/ accessing files in root (www.site.com/) i.e. disallow include(), require(), fopen() etc...

 

e.g. If they create a file: site.com/limitedperson/get_access.php and put within that file:

<?php include('../index.php'); ?>

I want it to fail - "access denied" - rather than showing the index page that they shouldn't have access to.

 

Yes, You create a user with access only to the tolder /limitedperson/ and edit vsftpd.conf to reflect their permissions in allowing them to access root. Standard linux config.

Link to comment
Share on other sites

@oni-kun - I don't have access to the vsftpd.conf file. Can this be done via htaccess or php.ini?

 

FTP is a very very distant program from Apache. You cannot. Do you have shell access? It's in /etc/vsftpd.conf. If you're limited than there's not much you can do, Atleast nothing in standard documentation.

Link to comment
Share on other sites

Well I don't see the point in web hosts giving the ability to create extra ftp accounts - it means that I can give someone ftp access to a particular folder and they can write a quick script to harvest all the login details from config files or delete/alter all the files on the server!!! I may as well give them full ftp access!

 

@ym_chaitu - I still need the functions enabled, just disallow them from accessing files outside of the directory.

Link to comment
Share on other sites

It's not about restricting user access via ftp - it is restricting file access. The user can log in via ftp and only see the files in the ftp directory - but it doesn't stop them putting a script in there that can access files in the root. I feel that I have not explained the problem well enough - if anyone understands what I am trying to do - please write a better explanation of the problem :)

Link to comment
Share on other sites

Ah! I have added a line in php.ini

open_basedir = /home/sites/site.com/public_html/limited_user

 

This restricts the includes from going to the root - but now I have the problem that the user can now create another php.ini file and override that open_basedir line. Is there a way to stop overriding the php.ini file in the root folder from a php.ini file in a sub-directory?

Link to comment
Share on other sites

Ah! I have added a line in php.ini

open_basedir = /home/sites/site.com/public_html/limited_user

 

This restricts the includes from going to the root - but now I have the problem that the user can now create another php.ini file and override that open_basedir line. Is there a way to stop overriding the php.ini file in the root folder from a php.ini file in a sub-directory?

 

I'm not 100% sure, but try this as root in your .htaccess:

<Files /limitedperson/php.ini>
order deny,allow
deny from all
</Files>

 

This will tell the server to ignore that file. (Atleast in theory)

Link to comment
Share on other sites

thank u ive never used this filemajig before im really getting aroused by this thread. im checking to see if any other arousals pop up. ive subscribed double times and im making sure it emails me the answer when u do post it. thanks in advance im really looking foreaed to the nicenecc on my website this will bring

Link to comment
Share on other sites

Thanks oni-kun. It doesn't work though :( - I think that only denies access to the file from the user typing it in the address bar of the browser but the server still reads it.

 

Meh, you're right. I'm not sure if the original php.ini has a 'hardcoded' address for itself that cannot be overridden, it must be an option somewhere.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.