• Resolved websitesforsmallbusiness

    (@websitesforsmallbusiness)


    I understand the plugin will allow admins the ability to browse the directory structure even beyond httpdocs.

    On one site the browsing is restricted to the same level as httpdocs, on other installations I am able to browse the entire file server right up to /.

    In your opinion, which is the correct implementation?

    Ideally, I would like to prevent one wordpress admin from looking at the files in other wordpress accounts on the same VPS. Is this achievable? (I have full control over the VPS).

    FYI – the wordpress sites in question are all fresh installs, no other plugins. I’ve checked PHP versions, ruled out Nginx, compared .htaccess, plugins, wordpress versions, file permissions, wp-config files. All the same.

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Dion Hulse

    (@dd32)

    Meta Developer

    Long story short – If you don’t trust the users with the role you’ve given access not to have full access to the servers filesystem, you shouldn’t use this plugin.

    This plugin is not designed to be used as part of a regular-use flow, it’s not designed to prevent users accessing files stored elsewhere on the server.

    The plugin respects any and all restrictions placed upon the PHP user, which would normally prevent you reading another accounts files, but in your case it sounds like that’s not the case.
    To do that you’d want to use PHP-Fpm with separate user accounts per WordPress site; but you’d then also have to do user permissions to prevent reading from files you don’t want them to access.

    The “Lock browsing to directory X” was mostly done for fixing a UX issue, where you could get lost in the filesystem, NOT as a security feature (It’s not a security feature, do not use it as such).

    Anyway – Future versions of the plugin will probably lock users to ABSPATH or WP_CONTENT_DIR with the option to lock it to another directory. Having the free-text option has lead to people using it incorrectly.

    tl;dr: Don’t use this plugin. Only use this plugin where all users who have access to it are trusted to access the entire server. If you have a use-case for this plugin, you’re probably doing it wrong and should re-evaluate why you’re using it.

    Thread Starter websitesforsmallbusiness

    (@websitesforsmallbusiness)

    Hi,
    Thanks for your answer, it was most helpful. Your explanation led me to the answer.

    FYI: It’s not that I want to load the plugin. Any wordpress admin on the VPS could load the plugin and I can’t prevent that.

    The problem was the php setting open_basedir was set to none. Changing that to {WEBSPACEROOT}{/}{:}{TMP}{/} now restricts the read-only view to local webserver files.

    This was the default setting but the wordpress backup plugin Duplicator warned against this value and recommended ‘none’. php.net suggests that it might be a needed setting for some mysql functions. I guess I can test it and see if anything breaks.

    Thanks again.

    open_basedir
    http://php.net/manual/en/ini.core.php#ini.open-basedir

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Directory Browsing Question’ is closed to new replies.