允许第三方将 PHP 上传到站点的安全性
我正在考虑构建一个旨在允许用户测试 PHP 代码的网站,并且想知道是否有一种安全的方法来实现此类功能。
特别值得关注的是,是否有一种实用的方法可以让他们只编辑单个文件夹的内容,而无需在服务器上为网站的每个用户提供单独的用户?
我想到的另一件事是 system() 函数,尽管看起来这应该很容易通过在服务器上创建一个几乎没有可用命令的用户来禁用。
还有什么我应该关心的吗?似乎应该有很多问题,但我实在想不起来很多。
另外,我意识到这可能属于服务器故障,但我认为这里的人们会对 PHP 有更细致的了解。
I'm looking at building a site designed to allow users to test PHP code and was wondering if there's a safe way to implement such functionality.
Of particular concern, is there a practical way to allow them to only edit the contents of a single folder without having a separate user on the server for every user of the site?
Another thing which comes to mind is the system() function, though it seems this should be trivially easy to disable by creating a single user on the server with virtually no commands available to it.
Is there anything else I should be concerned with? It seems as though there should be myriad problems, but I can't really think of many.
Also, I realise this may belong on serverfault, but I thought that people here would have a more nuanced understanding of PHP.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我可能会创建一个 chroot 的 Apache 实例,以及一个非常有限的用户,它将运行该实例,上传的文件将属于该实例。尽管您可以设置 禁用功能。
恕我直言,在操作系统级别限制用户比在 PHP 中设置障碍更重要。
不过,请务必设置一些资源限制 - 至少针对内存、CPU 时间和实际运行时间。
I'd probably create a chroot-ed instance of Apache, and also a very limited user as which it will run and to whom the uploaded files will belong. PHP doesn't really come into the equation here (besides safe_mode), although you could set up a blacklist of disabled functions.
Much more important is IMHO to limit the user on the OS level, than to build up barriers in PHP.
Do set up some resource limits though - at least for memory, CPU time, and wall time.
您想做类似 CodePad 所做的事情吗?他们在“关于”页面上介绍了他们使用的技术:
Do you want to do something similar, that CodePad does? They have some words about the technology they use on their "about" page: