I have an new Ubuntu server and I installed Apache and PHP.
I have two domains: example1.com and example2.com.
How can i prevent example1.com PHP scripts from seeing example2.com folders? and viceversa?
I wish example1.com could only read folders inside /var/www/example1.com/ and example2.com could only read folders inside /var/www/example2.com/ .
Even at this moment both example1.come and example2.com can see the contents of the entire disk /var/... /etc/... everything.
How can I correct the situation?
Thanks, Gabriele
CodePudding user response:
With this simple code I can see all the contents of the disk, even outside the domain folder:
$path = "/"; //or "/etc/" or "/var"
$scandir = scandir($path);
This is the VirtualHost configuration, it is the same for both sites, only the domain name and folder name changes.
<VirtualHost *:80>
DocumentRoot /var/www/example1.it/
ServerName example1.it
ServerAlias www.example1.it
<Directory /var/www/example1.it/>
Options -Indexes FollowSymLinks
AllowOverride All
Require all granted
DirectoryIndex index.html index.htm index.php
</Directory>
</VirtualHost>
CodePudding user response:
What you essentially want to do is to remove read/write/execute access to various folders. Apache is the application which parses your php code that you write above, so you should remove read/write/execute permissions from whatever username you have configured apache to run under i.e. www-data. This will prevent apache executing your above php code successfully as it will not have the necessary permissions to access those files/folders.
For security you shouldn't make apache the owner of any files in the /var/www folder. You should create a separate new user (with no shell) for each web app you store in the www-data folder and assign that new user as owner for all files and folders associated with that particular web app. In this way if Apache is compromised all your web apps and associated files are not compromised simultaneously.
Assign www-data as the group for files and sub-folders in /var/www , so that Apache can read and serve your web apps.
Give www-data read and execute permissions permissions for folders, only give www-data read permissions for files. In this way if Apache is compromised none of your files can not be modified by Apache.
//web app 1, set owner and group, do not set www-data as owner !
sudo chown -R web-app-1:www-data /var/www/app1
//web app 1, set appropriate permissions for all sub-folders as detailed previously
sudo find /var/www/app1 -type d -exec chmod 750 {} \;
//web app 1, set appropriate permissions for all files in sub-folders as detailed previously
sudo find /var/www/html/app1 -type f -exec chmod 640 {} \;