Re: Apache+PHP+ftp security

From: Mailinglists Address (
Date: 03/30/05

  • Next message: barti: "Re[2]: Apache+PHP+ftp security"
    Date: Tue, 29 Mar 2005 22:15:46 -0600
    To: abend <>

    >In order to solve my problem, my questions are:
    >- Can i run apache's child processes with an arbitrary user
    >(configured in a VirtualHost basis)? This solve the second problem,
    >but is this a good idea?
    >- Does anyone know how to do the first configuration works as
    >expected? This solves the problem (safe_mode not needed).
    >- any other ideas?
    As someone else has already suggested, proftpd already provides an
    excellent chroot enviroment for ftp (and also does not require
    duplicated binaries as some old versions of ftpd required; wu-ftpd comes
    to mind). Couple that with the fact that you can also configure proftpd
    to allow users with invalid shells to login to ftp while preventing
    login to other services (ssh, telnet, etc.) it seems like a good fit.

    RequireValidShell off
    DefaultRoot ~ groupname

    Couple that solution with correct usage of PHP's open_basedir within the
    vhost's configuration in apache and that should provide you the level of
    seperation you are looking for.

    php_admin_value open_basedir "/home/example/:/tmp"

    Also as an additional security measure you might want to mount your /tmp
    as a partition set with noexec to prevent any of your clients from using
    an application that has potential remote exploits in circulation (a
    certain combination of PHPNuke with the Coppermine gallery has
    personally caused me some problems last year on a vhost server).

    Some things I thought I would pass along.

    Tom Walsh

  • Next message: barti: "Re[2]: Apache+PHP+ftp security"

    Relevant Pages

    • Re: Cant ftp to machine
      ... > 530 Login incorrect. ... > TCP wrappers ... > The secure file has a start ftp and an end FTP no errors etc, ... configuration option is set in file /etc/ftpaccess. ...
    • Re: [SLE] SuSE Installation runs monitor Out of Range
      ... I was doing this on a 15" travel monitor at the local yesterday. ... > This is not a new problem for the 9.1 Installation; ... > the system configuration had been recognized as and set to VESA ... if one cannot do a graphical login because of running ...
    • RE: vsftpd beginners tutorial?
      ... # This file was created to illustrate the steps needed to create a new FTP ... Why vsftpd as this FTP Server? ... System software customization considerations. ... User and Group Configuration ...
    • Re: Conflicting PCI Requirements - TLS FTP
      ... I just about guarantee to you that no single configuration will solve every ftps use-case. ... If you are receiving connections, you can configure it to be flexible for clients, but clients will have to alter their own config based on their problems and yours. ... Likewise, if you are the client, you'll have a few configs, with 1 solving 75% of your issues, and 3 addressing the rest. ... Conflicting PCI Requirements - TLS FTP ...
    • Re: Apache + Kerberos + MS-AD = SSO / Problem with a Login Box for some Users
      ... currently we had a heavy problem with our SSO configuration. ... but some of the users get a login ... Kerberos module. ... Ticket but we dont know why ...