On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote:
> On 10/20/06, Ivo F.A.C. Fokkema <I.F.A.C.Fokkema@xxxxxxx> wrote:
>> On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote:
>>
>> > Andy Hultgren wrote:
>> >> To whoever was asking this (sorry didn't see the original email):
>> >>
>> >>>> Is it possible to have a PHP script execute as the user of the domain
>> >>>> instead of the webserver? So when I upload files through a PHP script
>> >>>> they are owned by me and not "wwwrun" or "nobody"?
>> >>
>> >> I was recently exchanging on this list about that very topic. It's in the
>> >> archives for this list. Go to www.php.net and set the dropdown menu in the
>> >> upper right corner of the page to "general mailing list", then type "File
>> >> Upload Security and chmod" into the search field and hit enter. The
>> >> conversation is within the first few hits on this search.
>> >> The server hosting my site runs with php executing as "me" (the owner of
>> >> the
>> >> domain), and we covered some of the potential security pitfalls of such a
>> >> situation (mainly centered on the fact that this makes any php script far
>> >> too powerful). In my situation I couldn't change how the server was set
>> >> up;
>> >> however, the general consensus was that this situation created a number of
>> >> serious security concerns that had to be very carefully addressed. I would
>> >> avoid this configuration if you have the choice, based purely on the advice
>> >> I received.
>> >
>> > Actually you have that the wrong way around.
>> >
>> > If php is running as "www" or "nobody" then any files or directories
>> > that a php script creates will be done as the web server user.
>> >
>> > That means (potentially) that if domain 'a' creates a file, domain 'b'
>> > can read and write to that file and even delete it.
>> >
>> >
>> > If php is running as you instead, you can control this with appropriate
>> > chmod commands (at least removing the risk of deleting of files /
>> > updating of files).
>> >
>> > A shared user (like "www" or "nobody") is a *much* bigger risk than
>> > separate users.
>>
>> Unless those separate users have a little more access than just SSH
>> and FTP access to the machine... I guess that if anyone with special
>> rights carelessly activates suPHP and leaves the PHP files owned by him,
>> you'd have PHP scripts capable of reading out special log files and
>> whatnot.
>>
>> To my experience, apache (with PHP running as www-data or nobody or
>> whatever) will not be able to create files or folders without user
>> intervention (chmod, chown), thus no updating and removing is possible
>> either by default.
>
> php running through apache:
>
> <?php
> mkdir('/path/to/dir');
> ?>
>
> Making that in a "shared" location will allow *any* domain to write to
> it, read from it or delete it (forget about possible open_basedir
> restrictions).
I see your point and I agree this is an issue, but given the
relatively small incidence of such a situation, I personally would not say
this is a much bigger problem than a PHP file being able to remove all
other files owned by the same owner (i.e. usually the whole site at least)...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
