Apache – A chrooted/isolated SFTP user can still visit the whole filesystem with PHP

apache-httpdchrootPHPsftp

I'd like to give an isolated web hosting space to a friend of mine on my server. I did:

useradd friend 
groupadd sftpusers
mkdir /sftp
mkdir /sftp/friend     
mkdir /sftp/friend/home
mkdir /sftp/friend/www 
usermod -aG sftpusers friend
chown friend:sftpusers /sftp/friend/home/
chown friend:sftpusers /sftp/friend/www/
usermod -d /sftp/friend/home friend

I added this to sshd_config:

Subsystem sftp internal-sftp -d /home
Match Group sftpusers
ChrootDirectory /sftp/%u

and this to the Apache config:

<VirtualHost *:80>
  ServerName friend.example.com
  DocumentRoot /sftp/friend/www
  <Directory />
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

It works: friend can access to SFTP in a jailroot environment and he cannot go out of /sftp/friend from SFTP. This is good.

But I noticed he can still use PHP to look at other files from the filesystem: if he creates an index.php containing:

<?php
print_r(scandir('/'));
?>

he'll see other files from the filesystem: Array ( [0] => . [1] => .. [2] => bin [3] => boot [4] => dev [5] => etc [6] => home [7] => lib [8] => lib64 [9] => media [10] => mnt [11] => opt [12] => proc [13] => root [14] => run [15] => sbin [16] => sftp [17] => srv [18] => sys [19] => tmp [20] => usr [21] => var ) and he can probably also open some files from there with PHP.

Question:

How to make that he cannot access anything out of /sftp/friend/, even by using PHP?

Is

php_admin_value "open_basedir" "/sftp/friend"

in the <VirtualHost> config enough as a protection?

Or can malicious code be run to access other websites even with this?

Linked: How to prevent PHP on a virtualhost/website from writing to another virtualhost's/website's directory on the same Apache server?

Best Answer

sshd's ChrootDirectory only applies to SSH logins and SFTP/scp file transfers.

Apache's DocumentRoot is different: it defines the root of the URI namespace as it relates to Apache serving files in response to HTTP(s) requests, but places no restrictions at all to any other processes the webserver might run or communicate with, such as the PHP script interpreter.

If you use PHP with an Apache plugin, your php_admin_value in the Apache <VirtualHost> configuration seems to be an appropriate solution, but if you use php-fpm or have otherwise arranged the access to PHP processing to be more indirect, you might need to put it into a different configuration file (maybe /etc/php/7.3/fpm/pool.d/www.conf as in Debian 10?), or do something else entirely.

Related Question