I’d like to give an isolated web hosting space to a friend of mine on my server. I did:
useradd friend groupadd sftpusers mkdir /sftp mkdir /sftp/friend mkdir /sftp/friend/home mkdir /sftp/friend/www usermod -aG sftpusers friend chown friend:sftpusers /sftp/friend/home/ chown friend:sftpusers /sftp/friend/www/ usermod -d /sftp/friend/home friend
I added this to
Subsystem sftp internal-sftp -d /home Match Group sftpusers ChrootDirectory /sftp/%u
and this to the Apache config:
<VirtualHost *:80> ServerName friend.example.com DocumentRoot /sftp/friend/www <Directory /> AllowOverride All Require all granted </Directory> </VirtualHost>
friend can access to SFTP in a jailroot environment and he cannot go out of
/sftp/friend from SFTP. This is good.
But I noticed he can still use PHP to look at other files from the filesystem: if he creates an
<?php print_r(scandir('/')); ?>
he’ll see other files from the filesystem:
Array (  => .  => ..  => bin  => boot  => dev  => etc  => home  => lib  => lib64  => media  => mnt  => opt  => proc  => root  => run  => sbin  => sftp  => srv  => sys  => tmp  => usr  => var ) and he can probably also open some files from there with PHP.
How to make that he cannot access anything out of
/sftp/friend/, even by using PHP?
php_admin_value "open_basedir" "/sftp/friend"
enough (in the
<VirtualHost> config) or can malicious code still be run, even with this? Linked: How to prevent PHP on a virtualhost/website from writing to another virtualhost’s/website’s directory on the same Apache server?