Preventing a PHP file from deleting files in other directories?

Hi,

I'm in need of knowing how to prevent certain PHP files from being able to access files in other directories. I've spent hours searching around for solutions, but nothing has yet worked, so I'd very much appreciate some help.

Essentially, I have a site with a "calendar" directory: http://mysite.com/calendar. I have a secondary FTP account (created via my BlueHost cPanel) which allows other a few people to access only the "calendar" directory through FTP so they can keep the files in that directory up to date.

That all works great - however, the problem is that someone could simply upload a file containing:

<?php
unlink('../index.php');
?>

to the "calendar" directory and delete the entire site, even though their FTP account could only access the "calendar" directory.

Is there any way to prevent files in the "calendar" directory from having any access (unlink(), include(), etc.) to files outside of that directory? Perhaps using .htaccess or CHMOD permissions, or some other method?

Many thanks for any help or advice!

Is there a reason you would want your users to be able to upload .php files? I would suggest you don't allow those file types for starters.

Is there a reason you would want your users to be able to upload .php files? I would suggest you don't allow those file types for starters.

Some of the files they need to keep updated/maintained are PHP files.

I believe I'm getting closer to finding a solution, just need some help figuring this part out. I found a php.ini directive called open_basedir:

http://www.php.net/manual/en/ini.core.php#ini.open-basedir

open_basedir basically allows you to restrict what directories a PHP file can access through include(), fopen(), etc., exactly what I'm looking for. So I went into my php.ini file in the "calendar" directory, found open_basedir, and set it to restrict PHP files in the "calendar" directory from accessing files outside of that directory like so -

html/calendar/php.ini:

open_basedir = /home/user/html/calendar/

It worked great and prevented any PHP file within the "calendar" directory from using the include() function to include files outside of that directory.

But here's the problem: If one of the users with access to the "calendar" directory wanted to, they could simply turn open_basedir Off in the php.ini file, since the php.ini file with that open_basedir restriction resides in the "calendar" directory.

So my question now becomes: could open_basedir be activated in a php.ini file (or through some other means) outside of the "calendar" directory? It's kind of pointless to have the restriction set in a location that users can access anyway.

My hosting provider, BlueHost, does have the option for using a single php.ini file (as in, you can set it so that there's just a single php.ini file located in html/php.ini which all directories use) if that would be of any help.

If someone could point me in the right direction or if you have any other suggestions, feel free to post.

you could try denying write access

Or make it so your users can't execute any scripts in that directory.

Or, just have the directories that are being used for FTP moved/created outside the web root, then no one would be able to access them. Of course, someone would have to review all the uploaded files, and move them to the correct area so they could be run if they are ok.

Ken

Thanks for the quick responses!

you could try denying write access

I made a test file and put it in my main directory with Public and Group write access denied, but was still able to include it within a file in the "calendar" directory, so I'm afraid it didn't work. Though for some reason, in FileZilla, it won't let me deny Owner write access, so I was unable to try that. Sorry if I'm missing the meaning of what you're saying - would I need to somehow deny write permissions for the Owner on files I didn't want accessed?

Or make it so your users can't execute any scripts in that directory.

The scripts in the "calendar" directory still need to run - I just need to prevent them from accessing files outside of that directory. The users who maintain that "calendar" directory via FTP are keeping that section of the website updated for the public. However, I just don't want them to be able to access other parts of the site, which they currently can via using the include() and unlink() functions (among others) within scripts in the "calendar" directory.

Or, just have the directories that are being used for FTP moved/created outside the web root, then no one would be able to access them. Of course, someone would have to review all the uploaded files, and move them to the correct area so they could be run if they are ok.

True, but this was what I was hoping to avoid. A lot of updates are made throughout the week, so reviewing each of the new files/changes individually would take quite a lot of time. I was just hoping for some kind of solution to allow them to independently manage the directory, without having to worry about potential damage to other portions of the site.