In my continued state of paranoia I'm trying to figure out how to set up the following: how to restrict filesystem access from PHP scripts that are executed from a particular directory. Background: a developer gets limited (S)FTP access to upload his application which will run under a specific URL (let's say mydomain.com/application/). Now this application has not been vetted thoroughly, and may have potential security holes to be exploited. How to restrict this application from accessing files in this (DA) user's home directory? Even Maildir can be read. So that's far from ideal.
The server is running NGINX, php-fpm, php7+.
I thought I had a solution by adding this location to the NGINX conf:
Apart from the PHP_VALUE line, the block is copied straight from the default config. This actually seemed to work, except that the rest of the user's scripts were now also restricted to the paths in the open_basedir PHP_VALUE. Which was confirmed in the accepted answer here on StackExchange.
The solution which might work for my case, which is also mentioned in the StackExchange accepted answer, is a seperate PHP-FPM pool. The downside is that this will probably not play nice with the standard DA setup. So my question is: can anyone think of another solution?
The server is running NGINX, php-fpm, php7+.
I thought I had a solution by adding this location to the NGINX conf:
Code:
location ~ ^/application/.*\.php$
{
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/nginx_limits.conf;
[B]fastcgi_param PHP_VALUE open_basedir=/tmp/:/home/username/domains/mydomain.com/public_html/application/;[/B]
if (-f $request_filename)
{
fastcgi_pass unix:/usr/local/php71/sockets/username.sock;
}
}
Apart from the PHP_VALUE line, the block is copied straight from the default config. This actually seemed to work, except that the rest of the user's scripts were now also restricted to the paths in the open_basedir PHP_VALUE. Which was confirmed in the accepted answer here on StackExchange.
The solution which might work for my case, which is also mentioned in the StackExchange accepted answer, is a seperate PHP-FPM pool. The downside is that this will probably not play nice with the standard DA setup. So my question is: can anyone think of another solution?