Access Denied Directories not working with lsphp??

nikss

Active Member
#1
i got 2 questions:

1.Access Denied Directories is not working as i expected with Std Litespeed
for example:
i can display in php script /etc/passwd
where in main server config Access Denied Directories option is

/etc/*
......

why??

2.i cannot block scripts with
Enable Scripts/ExtApps set to Off
files with extension .php are still executed

in both examples lsphp was compiled for php5 and php4
same with standard php4 lsphp from installer
 

mistwang

LiteSpeed Staff
#2
For the first question, it is normal, LSWS itself will deny access to those directories, but not for the scripts executed. for php you need to set "open_basedir". One way to strict access to some directories is to run the script in a chroot jail, but it will require a lot of extra work to build the chroot environment.

For the second, it should work for vhosts configured though the web admin console. We will verify this.
 

nikss

Active Member
#3
For the first question, it is normal, LSWS itself will deny access to those directories, but not for the scripts executed. for php you need to set "open_basedir". One way to strict access to some directories is to run the script in a chroot jail, but it will require a lot of extra work to build the chroot environment.

For the second, it should work for vhosts configured though the web admin console. We will verify this.
wow i am impressed - quick answer :)

unfortunately ExtApp Chroot Mode is not working too as i expected
setting Virtual Host Root dont remove access for files outside this vhost root
maybe it is not working with Std. LSWS??


another 2 questions

1.it is not possible to achieve results as using mod_ruid under apache??
http://websupport.sk/~stanojr/projects/mod_ruid/
i am simple user that think it is the best solution - webserver take care of all
no common www-data group to share everyting runs under defined numeric uid and gid

2. is it possible to run suexec(fcgi,lsapi) under virtual users (uid gid taken from mysql virtual users table - not from unix )
 

mistwang

LiteSpeed Staff
#4
Yes, chroot is a enterprise feature.

Since LSWS can run all scripts in suEXEC mode, including PHP and CGI, do not need a feature like mod_ruid, and mod_ruid is not that safe without kernel patches.

Answer to your second question is: No.
 
Top