Re: Permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Phil,

Phil Ewington - 43 Plc wrote:
Hi All,

I have a need for a PHP application to read/write Linux system files that
have root.root ownership. At present reading not a problem but writing
obviously is denied. I know there are probably some serious security issues
here, but what should I be doing to allow this behaviour. I am running PHP
4.3.8 on Linux Redhat Fedora 1 installed as an Apache module.

I'd write a wrapper. The wrapper has the suid and/or the sgid bit set.
Your script from the webserver opens a process for that wrapper.
The wrapper sets uid and/or gid, then reads its conf with new privileges; where to put the files. Next it opens stdin and reads from it.
There you php-script writes data to the process-descriptor.
The wrapper checks whether it is meaningful data, and if, it stores data at the place it's conf said to store it.


So your phpscript isn't exploitable that much that it can overwrite random system control files.

Just an idea.

Stephan

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux