I have a setup with many users, who can host their personal webpage (served by apache via mod_userdir), located under public_html in their homes. php support is also enabled in apache.
At the moment I have the following configuration in /etc/apache2/mods-enabled/userdir.conf
<IfModule mod_userdir.c> UserDir <home basedir>/*/public_html UserDir disabled root <Directory <home basedir>/*/public_html> AllowOverride FileInfo AuthConfig Limit Indexes Options Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS> Require all granted </Limit> <LimitExcept GET POST OPTIONS> Require all denied </LimitExcept> </Directory> </IfModule> The problem is that, since every php script is run by user www-data, each user page has permissions over every other users' public_html. For example, I can get a php reverse shell and inspect other users' content.
I have tried to add
php_admin_value open_basedir "." inside the Directory tag above. This prevents the security hole described above, but actually only allows the php script to go down the directory hierarchy. For example
<?php chdir('assets'); echo getcwd(); chdir('..'); echo "<br>"; echo getcwd(); ?> produces
<home>/public_html/assets <home>/public_html/assets The problem is solved if the <home>/public_html path is hardcoded in the open_basedir variable, but of course I need to be able to do this for all users via some variable. Does apache store the wildcard (<home basedir>/*/public_html) match in some variable that I can access inside the Directory tag? Or are any other better ways to do this, for instance running each user page in a chroot-like environment?
