I'd like to give an isolated web hosting space to a friend of mine on my server. I did:
useradd friend
groupadd sftpusers
mkdir /sftp
mkdir /sftp/friend
mkdir /sftp/friend/home
mkdir /sftp/friend/www
usermod -aG sftpusers friend
chown friend:sftpusers /sftp/friend/home/
chown friend:sftpusers /sftp/friend/www/
usermod -d /sftp/friend/home friend
I added this to sshd_config
:
Subsystem sftp internal-sftp -d /home
Match Group sftpusers
ChrootDirectory /sftp/%u
and this to the Apache config:
<VirtualHost *:80>
ServerName friend.example.com
DocumentRoot /sftp/friend/www
<Directory />
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
It works: friend
can access to SFTP in a jailroot environment and he cannot go out of /sftp/friend
from SFTP. This is good.
But I noticed he can still use PHP to look at other files from the filesystem: if he creates an index.php
containing:
<?php
print_r(scandir('/'));
?>
he'll see other files from the filesystem: Array ( [0] => . [1] => .. [2] => bin [3] => boot [4] => dev [5] => etc [6] => home [7] => lib [8] => lib64 [9] => media [10] => mnt [11] => opt [12] => proc [13] => root [14] => run [15] => sbin [16] => sftp [17] => srv [18] => sys [19] => tmp [20] => usr [21] => var )
and he can probably also open some files from there with PHP.
Question:
How to make that he cannot access anything out of /sftp/friend/
, even by using PHP?
Is
php_admin_value "open_basedir" "/sftp/friend"
in the <VirtualHost>
config enough as a protection?
Or can malicious code be run to access other websites even with this?
Best Answer
sshd
'sChrootDirectory
only applies to SSH logins and SFTP/scp file transfers.Apache's DocumentRoot is different: it defines the root of the URI namespace as it relates to Apache serving files in response to HTTP(s) requests, but places no restrictions at all to any other processes the webserver might run or communicate with, such as the PHP script interpreter.
If you use PHP with an Apache plugin, your
php_admin_value
in the Apache<VirtualHost>
configuration seems to be an appropriate solution, but if you usephp-fpm
or have otherwise arranged the access to PHP processing to be more indirect, you might need to put it into a different configuration file (maybe/etc/php/7.3/fpm/pool.d/www.conf
as in Debian 10?), or do something else entirely.