Hello,
Since the 1.9 interworx release users may access to their website by using the IP and their account name
http://xxx.xxx.xxx.xxx/~account
We will name this method the user_dir method.
It’s ok, but if you do not modifiy the httpd.conf file it may cause a huge security break
Indeed, if you protect a folder with htaccess and htpasswd files this protection will not work when users will access to your website by using the ‘user_dir’ method.
–> see my previous post : http://interworx.info/forums/showthread.php?t=514 and how we resolved this pbm
In fact when a user access to the website using the user_dir method Apache take in account the option in <directory /home/*/publi_html> and not the definition of the virtualhost.
An other problem with this solution is that, in fact, apache take the first virtualhost definition found on this IP.
For example, I have edited my Apache domain.tld.conf file to add this line :
php_value include_path “.:/home/xxx/yyy/zzz”
Now if we look at a phpinfo we will see that we don’t have the good include path when accessing to our website by using the user_dir method but we have the good one when accessing to our website by using the normal method (http://domain.tld)
Http://65.110.36.145/~hebergem/info.php
–> look at the include_path it is false, in fact it is the default one
Http://hebegrement-siteweb.fr/info.php
–> The include_path is the good one.
If you look well at the phpinfo with the user_dir method there is something very bad.
Server Administrator webmaster@aides-zen.net
Hostname:Port aides-zen.net:0
DOCUMENT_ROOT /home/aideszen/aides-zen.net/html
SERVER_ADMIN webmaster@aides-zen.net
SCRIPT_FILENAME /home/hebergem/public_html/info.php
it takes as Server Administrator, hostname, document_root and server_admin the data of the first virtualhost hosted on this IP. The script filename is OK.
I afraid. Does it means that it takes all the virtualhost configuration ? YES
It also means that even if the user has the allowoverride options set on, he couldn’t create all php_value/flag htaccess data won’t work well.
So be very carreful when you give this access method to your users.
All comments on how to setup the user_dir correctly to have exactly the same options/rights than the virtualhost are really welcomed
Pascal