I'm running Apache on Ubuntu 16.04 and 18.04, and I have configured it to accept connections from several domains. The sites are all stored in /var/www/html like so:
example.com
sub.example.com
sample.com
...Some of these sites are a work-in-progress, and I have created user accounts for the people working on these sites. For such sites, I did a mount --bind of the site's folder to the user's home folder, which they are chrooted to. So, if a user john was working on sample.com, they would see the folder as /sample.com when they log in.
Clearly, the idea is to restrict the users to the projects that they are in charge of. However, because PHP is run with www-data, which owns /var/www/html, any user can modify any file in /var/www/html using PHP.
Is there any way, through .htaccess or any other way, to lock the PHP in each of the site's folders such that it is allowed to only modify folders inside of its site folder? I.E. If I am running a PHP script inside sample.com, the script shouldn't be able to read or write folders above sample.com.
1 Answer
You could use bindfs instead.
Put all your code under /var/www/html/<project>, chown www-data:www-data -R /var/www/html and use bindfs to mount it in the users directory.
Examples:
bindfs -g www-data -m chroot_user1 --create-for-user=www-data --create-for-group=www-data --create-with-perms=0644,a+X /var/www/html/ /home/chroot_user1/wwwroot_example.com/Chroot users will see the code as themselves as owner. But the real permissions will be www-data under the apache directory.
3