On Sat, 21 Oct 2006 14:41:11 +1000, chris smith wrote:
> On 10/21/06, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
>> chris smith wrote:
>> > On 10/21/06, Ivo F.A.C. Fokkema <I.F.A.C.Fokkema@xxxxxxx> wrote:
>> >> On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote:
>> >>
>> >> > On 10/20/06, Ivo F.A.C. Fokkema <I.F.A.C.Fokkema@xxxxxxx> wrote:
>>
>> ....
>>
>> >> >>
>> >> >> To my experience, apache (with PHP running as www-data or nobody or
>> >> >> whatever) will not be able to create files or folders without user
>> >> >> intervention (chmod, chown), thus no updating and removing is possible
>> >> >> either by default.
>> >> >
>> >> > php running through apache:
>> >> >
>> >> > <?php
>> >> > mkdir('/path/to/dir');
>> >> > ?>
>> >> >
>> >> > Making that in a "shared" location will allow *any* domain to write to
>> >> > it, read from it or delete it (forget about possible open_basedir
>> >> > restrictions).
>> >>
>> >> I see your point and I agree this is an issue, but given the
>> >> relatively small incidence of such a situation, I personally would not
>> >> say
>> >> this is a much bigger problem than a PHP file being able to remove all
>> >> other files owned by the same owner (i.e. usually the whole site at
>> >> least)...
>> >
>> > Running it as separate users removes safe-mode problems (the file
>> > uploaded will be as "www" or "nobody", the script trying to access it
>> > is "user"), stops you having to have '777' type permissions on "temp"
>> > or "data" directories, "user a" can't do anything to "user b"s files
>> > and so on.
>>
>> but php and the webserver now has full rights over all your files not just
>> a few of your designated data files. e.g.
>>
>> exec('rm ~/.ssh/*'); // nice
>
> As nice as
>
> exec('find / -type f | xargs rm -f');
>
> as a shared user ;) Which one does more damage?
This wouldn't do much damage on my system... Just removing the session
data, some uploaded files and some error logs. Damage is very
dependent on system setup and type of sites. Still sticking by my opinion,
since in my case doing that command as a ftp user is *much* more
problematic... :)
Ivo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
