Hi, I want to start offering free web hosting on my site, but I want to make sure that my php is secured and they can't cause any problems. I know my php is secure for ME, but allowing other people to use php on my server raises some security risks if they can modify stuff outside their folder and such.
I'm running a Windows 2003 dedicated server with PHP 5. All the files they are allowed to upload are in a subdomain under my main site(users.mysite.com). While securing php in that subfolder, I would also like to not limit myself outside of the folder. Basically I want everything out side of that folder to be how it is now, and put everything inside the folder in a box which they can't get out of.
I don't know if I can change the php.ini settings on a folder to folder basis, so what I was thinking was to create 2 installations of php and let them run the restricted version, a good idea? Any help on what settings I should change to make php secure would be great.
I'm also allowing them asp access, is there any security settings I need to worry about there? I don't think so, but I don't use asp.
How does that ^^ secure php? I remember seeing somewhere that php.ini settings can be changed in htaccess, so if it is availabe on windows, what do I need to put in it to lock them inside a box? One thing that I know of that needs to be stopped(There are probably many more, but its the only thing i can think of at the moment), is disallowing the use of:
I don't want them to be able to access anything outside their folder. So say they have a file in mysite.com/username/, they can not run the above code that would be mysite.com/file.php