security with Apache & PHP

I really hope someone out there has the answer cause I'm a little worried
about this. Here's what is happening:

I have Apache with PHP running on a win2k box.

The Apache service logs on with a dummy user account (MYDOMAIN\apache).

The server is configured to look on a remote file server where everybody has
a file share. (\\FILESERVER\home\*\public_html).

The apache user account the service runs under originally has only
list/read/execute access to each person's public_html.

If a user (userA) decides he wants PHP to be able to write to a folder in
his public_html folder he can use windows security to grant the apache user
write access. (ex: opendir)

Now if another user (userB) knows what this folder is, this means he can
write to userA's folder with PHP.

ex of userB's script:
$fp = fopen("//FILESERVER/home/userA/public_html/opendir/test.txt",w);
if ($fp){
echo "created file";
}
fputs($fp,"this is a test file");
fclose($fp);

It also means that userB can delete anything in this folder.

How would I go about preventing this????

Hello all,

seems I might of found a temporary fix. In the php.ini file I
configured the open_basedir directive like so:

open_basedir .

which effectively prevents users from touching any file in directories that
are higher than the one the script resides in. Of course this makes it a
little trickier for web designers but at least it take the security risk
away.

of course the best solution would be to have php running as a module so that
I can add the:

php_admin_value open_basedir "\FILESERVER\home\*\public_html"

directive to each vhost and directory. Anyone know if they fixed the php
module in apache 2.0.48 for windows???


"kogger" <mono DeleteThis @kog.ca> wrote in message
news:am66c.19218$E71.1293682@news20.bellglobal.com...
 > I really hope someone out there has the answer cause I'm a little worried
 > about this. Here's what is happening:
 >
 > I have Apache with PHP running on a win2k box.
 >
 > The Apache service logs on with a dummy user account (MYDOMAIN\apache).
 >
 > The server is configured to look on a remote file server where everybody
has
 > a file share. (\\FILESERVER\home\*\public_html).
 >
 > The apache user account the service runs under originally has only
 > list/read/execute access to each person's public_html.
 >
 > If a user (userA) decides he wants PHP to be able to write to a folder in
 > his public_html folder he can use windows security to grant the apache
user
 > write access. (ex: opendir)
 >
 > Now if another user (userB) knows what this folder is, this means he can
 > write to userA's folder with PHP.
 >
 > ex of userB's script:
 > $fp = fopen("//FILESERVER/home/userA/public_html/opendir/test.txt",w);
 > if ($fp){
 > echo "created file";
 > }
 > fputs($fp,"this is a test file");
 > fclose($fp);
 >
 > It also means that userB can delete anything in this folder.
 >
 > How would I go about preventing this????
 >
 ><!-- ~MESSAGE_AFTER~ -->