chris smith wrote:
> On 10/21/06, Ivo F.A.C. Fokkema <I.F.A.C.Fokkema@xxxxxxx> wrote:
>> On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote:
>>
>> > On 10/20/06, Ivo F.A.C. Fokkema <I.F.A.C.Fokkema@xxxxxxx> wrote:
....
>> >>
>> >> To my experience, apache (with PHP running as www-data or nobody or
>> >> whatever) will not be able to create files or folders without user
>> >> intervention (chmod, chown), thus no updating and removing is possible
>> >> either by default.
>> >
>> > php running through apache:
>> >
>> > <?php
>> > mkdir('/path/to/dir');
>> > ?>
>> >
>> > Making that in a "shared" location will allow *any* domain to write to
>> > it, read from it or delete it (forget about possible open_basedir
>> > restrictions).
>>
>> I see your point and I agree this is an issue, but given the
>> relatively small incidence of such a situation, I personally would not
>> say
>> this is a much bigger problem than a PHP file being able to remove all
>> other files owned by the same owner (i.e. usually the whole site at
>> least)...
>
> Running it as separate users removes safe-mode problems (the file
> uploaded will be as "www" or "nobody", the script trying to access it
> is "user"), stops you having to have '777' type permissions on "temp"
> or "data" directories, "user a" can't do anything to "user b"s files
> and so on.
but php and the webserver now has full rights over all your files not just
a few of your designated data files. e.g.
exec('rm ~/.ssh/*'); // nice
maybe you should check out open_base_dir, for instance set it in the vhost
config:
php_admin_value open_base_dir "/path2/2/web/include_dir:/path/2/webroot:/usr/lib/php:";
> Plus if your domain gets hacked through php, they can
> *only* do damage to your domain. They'd have to hack the other domains
> on the server because they are owned by different users...
how relevant is this is in relation to actual cracking practices (e.g. escalating
privelege to root)? and doesn't 'open base dir' solve this just as well?
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
