hello,
if the script is running as user X (without root privileges) then there
is no way that the OS let user X chown file to user Y.
recheck the userid the script is running as ;)
if the script is running from the web server then it's userid will be
www/www as you say.
regards,
nuno silva
Chris Ralston wrote:
> Hey, guys,
>
> Apologies if I should have sent this to the dev list instead.
>
> It seems to me that ftp_get() is a potential security hole, or maybe we've
> just got it misconfigured on our system. When a script calls ftp_get() and
> transfers a file, the new file on the local system (e.g. the box running php)
> is owned by the webserver. Now this would make sense if the client to the
> php script were doing an HTTP upload, but shouldn't an FTP transfer be
> created as the user of the script?
>
> We're running PHP 4.0.4pl1 in "safe mode" under Apache 1.3.9. Apache is
> running as www/www and the script is run as John Q. User.
>
> If this can be used to create arbitrary files as the webserver, it seems like
> any legitimate user can create malicious scripts, ftp_get() them so that they
> are owned by the webserver user, then run them just by surfing to the new
> file. Even with safe mode and "php_admin_value docroot" set, it seems like
> there'd be a variety of "attacks" a user could do, if s/he were so inclined.
>
> I'm not a hacker (so looking at php's source wouldn't help me), but I'm a
> concerned sysadmin who's suddenly very scared of the --with-ftp configure
> directive.
>
> -Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
