# Hosting my big problems



## burkoff (Feb 9, 2012)

Hi, I work in the hosting company. In my country we are one of the few using FreeBSD. Please explain what you missed. They had nothing else to do.

Please see shell1.png. After an exploit for Joomla or Wordpress or path is realized FTP password of a user. It stores phpshell spam or hacking. Let this be the problem of the user. I have backups.

The biggest problem is that you can walk across the server and read.
I executed *ls-l /var/db/pkg* and the result is visible in shell2.png. Testing was held in the personal computer with FreeBSD which I put 
	
	



```
open_basedir = "/usr/local/www"
```

My problem is that shared hosting where the machine is organized with cPanel on FreeBSD can read other people's files as a 'cat', can be seen in mysql password files and config though mysql is available only localhost can be hacked a database.

I have servers with and without suPHP no difference. Occasionally hacked sites.

I am proud that I am using FreeBSD - unlimited possibilities as opposed to Linux - where not much choice. For me, Linux is very very stupid.

I do not want to compete with Linux thinks he is better than me: (

Please help give a survey, share your expertise.
Thanks in advance.

shell1.png






shell2.png


----------



## anomie (Feb 9, 2012)

I can barely understand your English (sorry), but I've made a guess about what you're asking. 

open_basedir does _not_ control or limit PHP functions like shell_exec() or exec() (or several others that are noted in the exec() documentation). If you do not need those functions, then specifically disable them.


----------



## throAU (Feb 10, 2012)

Further to what anomie said, I think what you really want to do is run the hosted content in a JAIL environment and allocate 1 jail per hosted user, so that an exploit within that user's jail via PHP or whatever is contained to their jail only.


----------



## burkoff (Feb 10, 2012)

In short, I forbid to read


```
/users/user1/public_html
```
in

```
/users/user2/public_html
```

Shared Hosting
with phpShell possible  ;(


----------



## SirDice (Feb 10, 2012)

It'll be difficult. Remember the webserver needs to be able to read those files too. Which usually means they're world-readable.

You may be able to set the correct permissions using ACLs. See setfacl(1) and getfacl(1).


----------

