Directory-based access control

Discussion in 'General' started by _qwerty_, Feb 10, 2009.

  1. _qwerty_

    _qwerty_ Member

    I'm trying to come up with a solution which allows me to implement directory-based access control.

    Here is an example:
    I have several domains

    I have SuExec enabled to make sure that users can only access their own files, belonging to their domain. Now I want to implement a little bit more sophisticated access rules, namely
    Inside I have several projects:

    each user has ftp access to a particular project that he owns. My question is how do I prevent user1 from accessing files of project2 using get_file_contents or readfile? As far as I understand SuExec can be applied on a domain level and here we trying to limit access to a particular folder inside domain. Any suggestions are highly appreciated!

    Thank you!
  2. _qwerty_

    _qwerty_ Member

    I wonder how come you guys have such small community around such great product.

    Reading product description again:

    "Access Control
    Access control rules can be set at server, virtual host and per-directory (context) level."

    Can this '(context)' be applied to my situation?

    I can see
    [Server Level]: lsphp5
    [VHost Level]: $VH_NAME_lsphp

    and I expect to find something like
    [Directory level]: $VH_NAME_$DIR_NAME_lsphp

    Am I going in a wrong direction?
    Are there any product gurus,wizards, ninjas in the community? Please help!
  3. mistwang

    mistwang LiteSpeed Staff

    If you use apache httpd.conf, You can use

    php_admin_value open_basedir "..."

    with <directory> directives in vhost configuration to limit access.

    If you use LSWS admin console, just add a context for each project, and apply above configuration via "Apache style configuration".
  4. _qwerty_

    _qwerty_ Member

    php_value inheritance

    Perfect! Thank you. Exactly what I wanted. Now I'm stuck with php_admin_value inheritance.

    I created a context for each project (I have 60 of them - should i expect any serious performance impact?) and in 'Apache Style Configuration' for each context I put the following:

    php_admin_value open_basedir ".:/var/www/domain01/project01/"

    and it works fine.

    Now for each project I'd like to allow access for common php libraries by adding them to open_basedir path. I've tried to set Virtual Host->General->Apache Style Configurations to

    php_admin_value open_basedir ".:/usr/local/lib/php:/usr/local/lib/php/ZendFramework/library/"

    but it looks like 'Apache Style Configurations' on context level overrides 'Apache Style Configurations' on vhost level.

    So my first question
    1) is there any way to enable simple inheritance so I don't need to explicitly specify path for external libraries for each created project?

    I've tried different 'allow override' options but I guess it only applies to .htacess files which does not support php_value syntax in case of LiteSpeed.

    2) I wonder if it's possible to use placeholders and define on vhost level something similar to this:

    php_admin_value open_basedir ".:/var/www/domain01/$DIR_NAME/"
  5. mistwang

    mistwang LiteSpeed Staff

    Answers to both of you questions are "NO". you have to configure each directory individually.

Share This Page