Re: [PHP] User question for PHP
On Sat, 21 Oct 2006 14:41:11 +1000, chris smith wrote: On 10/21/06, Jochem Maas [EMAIL PROTECTED] wrote: chris smith wrote: On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote: On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: To my experience, apache (with PHP running as www-data or nobody or whatever) will not be able to create files or folders without user intervention (chmod, chown), thus no updating and removing is possible either by default. php running through apache: ?php mkdir('/path/to/dir'); ? Making that in a shared location will allow *any* domain to write to it, read from it or delete it (forget about possible open_basedir restrictions). I see your point and I agree this is an issue, but given the relatively small incidence of such a situation, I personally would not say this is a much bigger problem than a PHP file being able to remove all other files owned by the same owner (i.e. usually the whole site at least)... Running it as separate users removes safe-mode problems (the file uploaded will be as www or nobody, the script trying to access it is user), stops you having to have '777' type permissions on temp or data directories, user a can't do anything to user bs files and so on. but php and the webserver now has full rights over all your files not just a few of your designated data files. e.g. exec('rm ~/.ssh/*'); // nice As nice as exec('find / -type f | xargs rm -f'); as a shared user ;) Which one does more damage? This wouldn't do much damage on my system... Just removing the session data, some uploaded files and some error logs. Damage is very dependent on system setup and type of sites. Still sticking by my opinion, since in my case doing that command as a ftp user is *much* more problematic... :) Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On Thu, October 19, 2006 1:49 pm, Tom Ray [Lists] wrote: Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? On a dedicated server, it's trivial to do it. Look in httpd.conf for User Could also be dangerous, or a boon, depending on what you do with it next, and what you do with it years down the road... On a shared server, with VirtualHosts, it gets more complicated You're looking at proxyservers, fastcgi with suexec or similar stuff. This also brings some potential dangers etc. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On Fri, October 20, 2006 12:49 am, Chris wrote: A shared user (like www or nobody) is a *much* bigger risk than separate users. *MUST* we go through all the permutations of What if... for these two scenarios again? The Risk cannot be evaluated outside the context of everything else you do after that. The Risk from your fellow users is reduced when you own the files. The Risks of a malicious file being uploaded/written/included having more power than it should is increased when you own the files. Which Risk is bigger depends on what you use the server and PHP to *do* and how you do those things. What if Notre Dame plays in the Rose Bowl?... :-) [Note to non-sports-non-ND-people. It's a stupid question, as ND is not eligible, but generates endless mindless arguments for reasons beyond my ken.] -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On Fri, October 20, 2006 8:24 am, chris smith wrote: php running through apache: ?php mkdir('/path/to/dir'); ? Making that in a shared location will allow *any* domain to write to it, read from it or delete it (forget about possible open_basedir restrictions). If 'nobody' can read/write to be able to do the mkdir() in the first place, then whether you do the mkdir() or the other user does it is irrelevant. They ALREADY have the access to that dir through PHP. Running as cgi you don't get that problem. Maybe, maybe not. Depends on the chmod and umask settings of the directory and/or your script. I could be completely misunderstanding what suPHP does. Possibly. Or simply under-estimating the bad practices in BOTH scenarios which can lead to disaster. It's a fork in the road. Taking either fork involves risks, of a different nature. Understand the Risks, and how they relate to what YOU are doing. Taking either fork blindly because somebody told you it's safer is the BAD OPTION. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote: Andy Hultgren wrote: To whoever was asking this (sorry didn't see the original email): Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? I was recently exchanging on this list about that very topic. It's in the archives for this list. Go to www.php.net and set the dropdown menu in the upper right corner of the page to general mailing list, then type File Upload Security and chmod into the search field and hit enter. The conversation is within the first few hits on this search. The server hosting my site runs with php executing as me (the owner of the domain), and we covered some of the potential security pitfalls of such a situation (mainly centered on the fact that this makes any php script far too powerful). In my situation I couldn't change how the server was set up; however, the general consensus was that this situation created a number of serious security concerns that had to be very carefully addressed. I would avoid this configuration if you have the choice, based purely on the advice I received. Actually you have that the wrong way around. If php is running as www or nobody then any files or directories that a php script creates will be done as the web server user. That means (potentially) that if domain 'a' creates a file, domain 'b' can read and write to that file and even delete it. If php is running as you instead, you can control this with appropriate chmod commands (at least removing the risk of deleting of files / updating of files). A shared user (like www or nobody) is a *much* bigger risk than separate users. Unless those separate users have a little more access than just SSH and FTP access to the machine... I guess that if anyone with special rights carelessly activates suPHP and leaves the PHP files owned by him, you'd have PHP scripts capable of reading out special log files and whatnot. To my experience, apache (with PHP running as www-data or nobody or whatever) will not be able to create files or folders without user intervention (chmod, chown), thus no updating and removing is possible either by default. Using suPHP, it is. You can argue that it can only do this to the PHP files owned by the same user, and therefor probably limiting the damage to one specific website, however we're still having a security problem. Both situations seem dangerous to me, both in different ways. Wouldn't you say that the user must know what the hell he's doing in both situations? Ivo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote: Andy Hultgren wrote: To whoever was asking this (sorry didn't see the original email): Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? I was recently exchanging on this list about that very topic. It's in the archives for this list. Go to www.php.net and set the dropdown menu in the upper right corner of the page to general mailing list, then type File Upload Security and chmod into the search field and hit enter. The conversation is within the first few hits on this search. The server hosting my site runs with php executing as me (the owner of the domain), and we covered some of the potential security pitfalls of such a situation (mainly centered on the fact that this makes any php script far too powerful). In my situation I couldn't change how the server was set up; however, the general consensus was that this situation created a number of serious security concerns that had to be very carefully addressed. I would avoid this configuration if you have the choice, based purely on the advice I received. Actually you have that the wrong way around. If php is running as www or nobody then any files or directories that a php script creates will be done as the web server user. That means (potentially) that if domain 'a' creates a file, domain 'b' can read and write to that file and even delete it. If php is running as you instead, you can control this with appropriate chmod commands (at least removing the risk of deleting of files / updating of files). A shared user (like www or nobody) is a *much* bigger risk than separate users. Unless those separate users have a little more access than just SSH and FTP access to the machine... I guess that if anyone with special rights carelessly activates suPHP and leaves the PHP files owned by him, you'd have PHP scripts capable of reading out special log files and whatnot. To my experience, apache (with PHP running as www-data or nobody or whatever) will not be able to create files or folders without user intervention (chmod, chown), thus no updating and removing is possible either by default. php running through apache: ?php mkdir('/path/to/dir'); ? Making that in a shared location will allow *any* domain to write to it, read from it or delete it (forget about possible open_basedir restrictions). Running as cgi you don't get that problem. I could be completely misunderstanding what suPHP does. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote: On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote: Andy Hultgren wrote: To whoever was asking this (sorry didn't see the original email): Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? I was recently exchanging on this list about that very topic. It's in the archives for this list. Go to www.php.net and set the dropdown menu in the upper right corner of the page to general mailing list, then type File Upload Security and chmod into the search field and hit enter. The conversation is within the first few hits on this search. The server hosting my site runs with php executing as me (the owner of the domain), and we covered some of the potential security pitfalls of such a situation (mainly centered on the fact that this makes any php script far too powerful). In my situation I couldn't change how the server was set up; however, the general consensus was that this situation created a number of serious security concerns that had to be very carefully addressed. I would avoid this configuration if you have the choice, based purely on the advice I received. Actually you have that the wrong way around. If php is running as www or nobody then any files or directories that a php script creates will be done as the web server user. That means (potentially) that if domain 'a' creates a file, domain 'b' can read and write to that file and even delete it. If php is running as you instead, you can control this with appropriate chmod commands (at least removing the risk of deleting of files / updating of files). A shared user (like www or nobody) is a *much* bigger risk than separate users. Unless those separate users have a little more access than just SSH and FTP access to the machine... I guess that if anyone with special rights carelessly activates suPHP and leaves the PHP files owned by him, you'd have PHP scripts capable of reading out special log files and whatnot. To my experience, apache (with PHP running as www-data or nobody or whatever) will not be able to create files or folders without user intervention (chmod, chown), thus no updating and removing is possible either by default. php running through apache: ?php mkdir('/path/to/dir'); ? Making that in a shared location will allow *any* domain to write to it, read from it or delete it (forget about possible open_basedir restrictions). I see your point and I agree this is an issue, but given the relatively small incidence of such a situation, I personally would not say this is a much bigger problem than a PHP file being able to remove all other files owned by the same owner (i.e. usually the whole site at least)... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote: On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 15:49:14 +1000, Chris wrote: Andy Hultgren wrote: To whoever was asking this (sorry didn't see the original email): Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? I was recently exchanging on this list about that very topic. It's in the archives for this list. Go to www.php.net and set the dropdown menu in the upper right corner of the page to general mailing list, then type File Upload Security and chmod into the search field and hit enter. The conversation is within the first few hits on this search. The server hosting my site runs with php executing as me (the owner of the domain), and we covered some of the potential security pitfalls of such a situation (mainly centered on the fact that this makes any php script far too powerful). In my situation I couldn't change how the server was set up; however, the general consensus was that this situation created a number of serious security concerns that had to be very carefully addressed. I would avoid this configuration if you have the choice, based purely on the advice I received. Actually you have that the wrong way around. If php is running as www or nobody then any files or directories that a php script creates will be done as the web server user. That means (potentially) that if domain 'a' creates a file, domain 'b' can read and write to that file and even delete it. If php is running as you instead, you can control this with appropriate chmod commands (at least removing the risk of deleting of files / updating of files). A shared user (like www or nobody) is a *much* bigger risk than separate users. Unless those separate users have a little more access than just SSH and FTP access to the machine... I guess that if anyone with special rights carelessly activates suPHP and leaves the PHP files owned by him, you'd have PHP scripts capable of reading out special log files and whatnot. To my experience, apache (with PHP running as www-data or nobody or whatever) will not be able to create files or folders without user intervention (chmod, chown), thus no updating and removing is possible either by default. php running through apache: ?php mkdir('/path/to/dir'); ? Making that in a shared location will allow *any* domain to write to it, read from it or delete it (forget about possible open_basedir restrictions). I see your point and I agree this is an issue, but given the relatively small incidence of such a situation, I personally would not say this is a much bigger problem than a PHP file being able to remove all other files owned by the same owner (i.e. usually the whole site at least)... Running it as separate users removes safe-mode problems (the file uploaded will be as www or nobody, the script trying to access it is user), stops you having to have '777' type permissions on temp or data directories, user a can't do anything to user bs files and so on. Plus if your domain gets hacked through php, they can *only* do damage to your domain. They'd have to hack the other domains on the server because they are owned by different users... -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
chris smith wrote: On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote: On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: To my experience, apache (with PHP running as www-data or nobody or whatever) will not be able to create files or folders without user intervention (chmod, chown), thus no updating and removing is possible either by default. php running through apache: ?php mkdir('/path/to/dir'); ? Making that in a shared location will allow *any* domain to write to it, read from it or delete it (forget about possible open_basedir restrictions). I see your point and I agree this is an issue, but given the relatively small incidence of such a situation, I personally would not say this is a much bigger problem than a PHP file being able to remove all other files owned by the same owner (i.e. usually the whole site at least)... Running it as separate users removes safe-mode problems (the file uploaded will be as www or nobody, the script trying to access it is user), stops you having to have '777' type permissions on temp or data directories, user a can't do anything to user bs files and so on. but php and the webserver now has full rights over all your files not just a few of your designated data files. e.g. exec('rm ~/.ssh/*'); // nice maybe you should check out open_base_dir, for instance set it in the vhost config: php_admin_value open_base_dir /path2/2/web/include_dir:/path/2/webroot:/usr/lib/php:; Plus if your domain gets hacked through php, they can *only* do damage to your domain. They'd have to hack the other domains on the server because they are owned by different users... how relevant is this is in relation to actual cracking practices (e.g. escalating privelege to root)? and doesn't 'open base dir' solve this just as well? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
On 10/21/06, Jochem Maas [EMAIL PROTECTED] wrote: chris smith wrote: On 10/21/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: On Fri, 20 Oct 2006 23:24:14 +1000, chris smith wrote: On 10/20/06, Ivo F.A.C. Fokkema [EMAIL PROTECTED] wrote: To my experience, apache (with PHP running as www-data or nobody or whatever) will not be able to create files or folders without user intervention (chmod, chown), thus no updating and removing is possible either by default. php running through apache: ?php mkdir('/path/to/dir'); ? Making that in a shared location will allow *any* domain to write to it, read from it or delete it (forget about possible open_basedir restrictions). I see your point and I agree this is an issue, but given the relatively small incidence of such a situation, I personally would not say this is a much bigger problem than a PHP file being able to remove all other files owned by the same owner (i.e. usually the whole site at least)... Running it as separate users removes safe-mode problems (the file uploaded will be as www or nobody, the script trying to access it is user), stops you having to have '777' type permissions on temp or data directories, user a can't do anything to user bs files and so on. but php and the webserver now has full rights over all your files not just a few of your designated data files. e.g. exec('rm ~/.ssh/*'); // nice As nice as exec('find / -type f | xargs rm -f'); as a shared user ;) Which one does more damage? -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] User question for PHP
Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
try suPHP :-) Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
Christian Heinrich wrote: try suPHP :-) Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? Sounds like it could be a big security issue if not very carefully. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User question for PHP
To whoever was asking this (sorry didn't see the original email): Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? I was recently exchanging on this list about that very topic. It's in the archives for this list. Go to www.php.net and set the dropdown menu in the upper right corner of the page to general mailing list, then type File Upload Security and chmod into the search field and hit enter. The conversation is within the first few hits on this search. The server hosting my site runs with php executing as me (the owner of the domain), and we covered some of the potential security pitfalls of such a situation (mainly centered on the fact that this makes any php script far too powerful). In my situation I couldn't change how the server was set up; however, the general consensus was that this situation created a number of serious security concerns that had to be very carefully addressed. I would avoid this configuration if you have the choice, based purely on the advice I received. Hope that helps, Andy
Re: [PHP] User question for PHP
Andy Hultgren wrote: To whoever was asking this (sorry didn't see the original email): Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not wwwrun or nobody? I was recently exchanging on this list about that very topic. It's in the archives for this list. Go to www.php.net and set the dropdown menu in the upper right corner of the page to general mailing list, then type File Upload Security and chmod into the search field and hit enter. The conversation is within the first few hits on this search. The server hosting my site runs with php executing as me (the owner of the domain), and we covered some of the potential security pitfalls of such a situation (mainly centered on the fact that this makes any php script far too powerful). In my situation I couldn't change how the server was set up; however, the general consensus was that this situation created a number of serious security concerns that had to be very carefully addressed. I would avoid this configuration if you have the choice, based purely on the advice I received. Actually you have that the wrong way around. If php is running as www or nobody then any files or directories that a php script creates will be done as the web server user. That means (potentially) that if domain 'a' creates a file, domain 'b' can read and write to that file and even delete it. If php is running as you instead, you can control this with appropriate chmod commands (at least removing the risk of deleting of files / updating of files). A shared user (like www or nobody) is a *much* bigger risk than separate users. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php