[PHP] running php through cron
Hi folks. I've got a quick question about security when running a php script through a cron job. I've got a cron job set up that executes every minute and looks for idle users and pending content within a cms. I know that if I wanted to execute the script with an exec() call from within another php script I would need to chmod +x it. I don't seem to need to do this with a cron job, as I use the following command in the cron job, php /home/pablo/cmsutil/CMS_monitor.php and the permissions on CMS_monitor.php are as follows: -rw-rw-r--1 pablopablo3636 Feb 21 00:48 CMS_monitor.php My question is under these permissions could someone else with an account on this server execute this file? I'm pretty sure they couldn't but my knowledge of Linux isn't yet as extensive as I would like it to be so I can't say for sure. Can someone verify or correct me on this? Cheers and TIA. Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] running php through cron
On Sunday 22 February 2004 11:12, Pablo Gosse wrote: I know that if I wanted to execute the script with an exec() call from within another php script I would need to chmod +x it. I don't seem to need to do this with a cron job, as I use the following command in the cron job, php /home/pablo/cmsutil/CMS_monitor.php That's because you're executing the php binary (php) and telling it to run the script (CMS_monitor.php). and the permissions on CMS_monitor.php are as follows: -rw-rw-r--1 pablopablo3636 Feb 21 00:48 CMS_monitor.php My question is under these permissions could someone else with an account on this server execute this file? It depends. If they can read the file 'CMS_monitor.php' and they can execute the php binary then yes. But because users are not usually allowed to access other users' home directory they will not be able to run your scripts. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Why are there flotation devices under plane seats instead of parachutes? -- Why Why Why n22 */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] running php through cron
On Sat, 2004-02-21 at 22:12, Pablo Gosse wrote: php /home/pablo/cmsutil/CMS_monitor.php and the permissions on CMS_monitor.php are as follows: -rw-rw-r--1 pablopablo3636 Feb 21 00:48 CMS_monitor.php My question is under these permissions could someone else with an account on this server execute this file? I'm pretty sure they couldn't but my knowledge of Linux isn't yet as extensive as I would like it to be so I can't say for sure. If the script can be read (the r permission) it can be run through the php cli like you are doing in cron. If the cron command you have is running under your username, and the script does not need to be viewable by the web server, you can set the permissions to 600, which would be -rw---. This will allow you as the user to read (as well as execute through php) and write to the file and not let anyone else (besides root of course) to do anything with it. Technically, if an executable can be read it can be executed. If it's a binary it can be copied by a user and the copy can be run, if it's a script it can be passed to an interpreter and run. Good Luck, Adam -- Adam Bregenzer [EMAIL PROTECTED] http://adam.bregenzer.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] running php through cron
snip php /home/pablo/cmsutil/CMS_monitor.php and the permissions on CMS_monitor.php are as follows: -rw-rw-r--1 pablopablo3636 Feb 21 00:48 CMS_monitor.php My question is under these permissions could someone else with an account on this server execute this file? I'm pretty sure they couldn't but my knowledge of Linux isn't yet as extensive as I would like it to be so I can't say for sure. If the script can be read (the r permission) it can be run through the php cli like you are doing in cron. If the cron command you have is running under your username, and the script does not need to be viewable by the web server, you can set the permissions to 600, which would be -rw---. This will allow you as the user to read (as well as execute through php) and write to the file and not let anyone else (besides root of course) to do anything with it. Technically, if an executable can be read it can be executed. If it's a binary it can be copied by a user and the copy can be run, if it's a script it can be passed to an interpreter and run. /snip Thanks for the replies. Very helpful. The crontab running is my own so if I change the permission on the file as Adam mentions above I'll be fine (please let me know if this is not the case!). Thanks again. Pablo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php