Security Issue - Client's accesing my files

[stealth87]

I've noticed users can access other files that do not belong to them, is there away to prevent this?

The main problem is that my clients can access files on my server, even though I'm the admin.

This is obviously a huge security flaw, any suggestions on how this can be resolved.

Thank you in advanced

-Brad

 

[smtalk]

Enable open_basedir protection and add some functions to disable_functions in /usr/local/lib/php.ini.

 

[stealth87]

How can i enable that on all domains?

Thanks, Brad

 

[smtalk]

Update your DirectAdmin and go to "PHP SafeMode Configuration".

 

[stealth87]

Worked great, thank you sir

-Brad

 

[future assassin]

You can switch to suPHP which will keep users from accessing other users files. It runs all files and php scripts under the users ID. It'll add to the server load as it's a bit slower then mod_php. I personally notice the server load going up but still acceptable.

One draw back will be with unsecured scripts. Now anyone who gains access will be able to delete all the files for the user who is running an unsecured php script. On the other hand I'd rather lose one user then the whole server being comproised.

If you want to keep mod_php you can enable open_basedir and disable mod_userdir. (keeps people from bypassing open_basedir by gaining access through yourserver.com/~account_name) Also install CGIWrap other wise users cn use PERL scripts to get around the open_basdir. Also install Suhosin for php.