#StackBounty: #apache-httpd #php #sftp #chroot A chrooted/isolated SFTP user can still visit the whole filesystem with PHP

Bounty: 50

I’d like to give an isolated web hosting space to a friend of mine on my server. I did:

useradd friend 
groupadd sftpusers
mkdir /sftp
mkdir /sftp/friend     
mkdir /sftp/friend/home
mkdir /sftp/friend/www 
usermod -aG sftpusers friend
chown friend:sftpusers /sftp/friend/home/
chown friend:sftpusers /sftp/friend/www/
usermod -d /sftp/friend/home friend 

I added this to sshd_config:

Subsystem sftp internal-sftp -d /home
Match Group sftpusers
ChrootDirectory /sftp/%u

and this to the Apache config:

<VirtualHost *:80>
  ServerName friend.example.com
  DocumentRoot /sftp/friend/www
  <Directory />
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

It works: friend can access to SFTP in a jailroot environment and he cannot go out of /sftp/friend from SFTP. This is good.

But I noticed he can still use PHP to look at other files from the filesystem: if he creates an index.php containing:

<?php
print_r(scandir('/'));
?>

he’ll see other files from the filesystem: Array ( [0] => . [1] => .. [2] => bin [3] => boot [4] => dev [5] => etc [6] => home [7] => lib [8] => lib64 [9] => media [10] => mnt [11] => opt [12] => proc [13] => root [14] => run [15] => sbin [16] => sftp [17] => srv [18] => sys [19] => tmp [20] => usr [21] => var ) and he can probably also open some files from there with PHP.

Question:

How to make that he cannot access anything out of /sftp/friend/, even by using PHP?

Is

php_admin_value "open_basedir" "/sftp/friend"

enough (in the <VirtualHost> config) or can malicious code still be run, even with this? Linked: How to prevent PHP on a virtualhost/website from writing to another virtualhost’s/website’s directory on the same Apache server?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.