Properly Set Permission to /home/user folder for webserver

Question

I'm currently setting up my own Linux server running CentOs 6. I already know the basic commands etc. but I don't have much experience with apache/php security although I do have a lot of experience with PHP on itself.

So, to test the security on my server I wrote a PHP script that acts like a sort of "navigator". I can go one directory up, open the files, etc. etc.

The problem is, my tools allows me to go up till "/" and I am not very happy with this. Although Apache is being run as "nobody" it seems like it can reach every folder and file on the whole server.

I tried to solve this like cPanel did it, but since I don't have cPanel I don't exactly know how this is done.

Basically I have this:

/home/account/public_html
/home/anotherAccount/public_html

I want to make it so that "anotherAccount" can not access the files of "account". Actually I would love it so "anotherAccount" can't even get outside it's own directory!

Yes, I know you are thinking: Install suPHP/fastcgi/suExec, but I can't do this because they are eating resources. I know it's possible without installing either one of them! I uploaded my script to some professional yet not very known webhost and I was able to go inside / with it, but not inside the home directories except my own. /home/ listed as empty!

How do I secure my home folders?

Answer 1

You can use the open_basedir directive in your php.ini to restrict the script to a directory, see documentation.

If you want different sites to have different restrictions the PHP instances must have different values of open_basedir, which can be set up in apache on a per-virtual-host basis. See this question in stack overflow for more details.

However, note that open_basedir does not apply to external commands executed using system() and friends. If you want to be safe from that it would be best to move on to running several instances of php-fpm as different users or using suPHP. One of the answers to this question contains an explanation of how to set up the ownerships and permissions to only allow users access to their own files.