Help: Secure a site while allowings users to run php code

johnnytli

Hi.

I am creating an interactive php site where users can login, create and run php codes. I need to secure my own information including MySQL database connection data and other private info. Is there someway to do this without setting up a user account for each user?

Can some one enlighten me?

Thanks in advance.

MarkR

Sounds like an extremely bad idea.

One possibility is to run the users' PHP under a different web server instance / user than your own code, and using something like SELinux to set an advanced security model for it to severely limit what they can do.

Another is to use safe_mode, but it isn't as safe as it should be and it's a pain in the arse.

Either way you'll also want to disable a lot of functions with disable_functions in php.ini

disable_functions = dl,exec,passthru,system,shell_exec,popen

And that's just for starters. I make no claim that doing any of these things will leave your server safe.

Mark

johnnytli

Thanks Mark.

I don't think I can change php.ini on my host account.

One of my approach was to create new user accounts and then accesing these accounts in the name of the applied user.

Will this work? and Does any one knows of a hosting company that will let me generate hosting accounts from a php script, then access that account from a php page?

MarkR

johnnytli wrote:
Thanks Mark.

I don't think I can change php.ini on my host account.

You are going to need a dedicated box to do this. Don't share it with anyone, and you MUST have root access.

If I was your host, I'd close your shared account for even THINKING about doing this.

Mark

johnnytli

m... I was hoping for a hosting company with reseller packages that let my users create accounts using a web interface and let me have access to it so I can installed my pages on his account.