RE: [PHP] reading/writing files outside of web root
Jason Wong wrote: On Wednesday 09 February 2005 02:31, Richard Lynch wrote: Phil Ewington - 43 Plc wrote: For some reason user_prefs will not open for read/write even when I tested it under apache.apache and chmod'd to 755, perhaps because /home is owned by root? Something went wrong with this test. You SHOULD have been able to read/write that file in PHP, assuming 'apache' is the user PHP runs as. Use http://php.net/phpinfo to confirm that it really *IS* 'apache' user that's running apache/php. It *will* fail if apache has no access to $HOME! I stand corrected. In addition to read/write access to the file itself, Apache must have at least eXecute (directory listing) permission to the directory containing that file. /home being owned by root is not the issue -- But if it's not something the apahce user can 'ls /home' and get the contents of, then you've got a problem. Thanks for all the input guys. The cron job suggestion is a great idea and I will go with this over using sudo. Thanks again. - Phil Ewington. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.8 - Release Date: 14/02/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reading/writing files outside of web root
Jason Wong wrote: On Wednesday 09 February 2005 02:31, Richard Lynch wrote: Phil Ewington - 43 Plc wrote: For some reason user_prefs will not open for read/write even when I tested it under apache.apache and chmod'd to 755, perhaps because /home is owned by root? Something went wrong with this test. You SHOULD have been able to read/write that file in PHP, assuming 'apache' is the user PHP runs as. Use http://php.net/phpinfo to confirm that it really *IS* 'apache' user that's running apache/php. It *will* fail if apache has no access to $HOME! I stand corrected. In addition to read/write access to the file itself, Apache must have at least eXecute (directory listing) permission to the directory containing that file. /home being owned by root is not the issue -- But if it's not something the apahce user can 'ls /home' and get the contents of, then you've got a problem. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reading/writing files outside of web root
On Tuesday 08 February 2005 20:50, Phil Ewington - 43 Plc wrote: So my question is can I easily/safely edit files outside of the web root using PHP or is there a 3rd party command line tool to do this? Your real question is: can I easily/safely edit files that [the user running] PHP has no access to, using PHP? -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reading/writing files outside of web root
Phil Ewington - 43 Plc wrote: Hi All, I am revisiting a previous question posted here as after lots of investigation and code testing I cannot get what I want. I want to use PHP to read/write files that are outside of the web root and not owned by apache. To be specific... $HOME/.procmailrc $HOME/.spamassassin/user_prefs .procmailrc must be owned by root.root and chmod'd to 600 or is does not work, user_prefs can be owned by anyone, it does not seem to care who or what the permissions are. The first problem is .procmailrc, someone on this list suggested to use chown/chmod in PHP to change the file so it can be read/written to by PHP, this I soon realized was not an option as the file owned by root cannot be changed. For some reason user_prefs will not open for read/write even when I tested it under apache.apache and chmod'd to 755, perhaps because /home is owned by root? So my question is can I easily/safely edit files outside of the web root using PHP or is there a 3rd party command line tool to do this? you can run PHP on the command line as root. you can also use sudo to allow your script to run as root if run by another user. you can call 'shell' commands (e.g. your command line php script via sudo) from inside php (e.g. a script run via a webserver). your webscript would act as a frontend to the cmdline script that runs as root... feeding it the required data. maybe that bit of freethought gives you some ideas as to how to tackle the problem? alternatively you can have your script work on a copy of .procmailrc and have a cronjob check that file periodically for changes (and correct syntax) and if changed replace the actual file. obviously you webscript frontend will need to be well secured however you decide/manage to solve the problem! doing it right won't be a piece of cake me thinks (based on my own experience of web security and the mailings on internals@ of late, mainly by Rasmus, which very much give the impression that securing a web app properly is some what beyond hard :-) ...cue new request filter extension.) TIA --- Phil Ewington 43 Plc - Ashdale House 35 Broad Street, Wokingham Berkshire RG40 1AU T: +44 (0)1189 789 500 F: +44 (0)1189 784 994 E: mailto:[EMAIL PROTECTED] W: www.soyouthink.com -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.6 - Release Date: 07/02/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reading/writing files outside of web root
On Tue, 8 Feb 2005 12:50:59 -, Phil Ewington - 43 Plc [EMAIL PROTECTED] wrote: So my question is can I easily/safely edit files outside of the web root using PHP or is there a 3rd party command line tool to do this? sudo can assist you with this task. -- Greg Donald Zend Certified Engineer http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reading/writing files outside of web root
Phil Ewington - 43 Plc wrote:
For some reason user_prefs will not open
for read/write even when I tested it under apache.apache and chmod'd to
755,
perhaps because /home is owned by root?
Something went wrong with this test.
You SHOULD have been able to read/write that file in PHP, assuming
'apache' is the user PHP runs as. Use http://php.net/phpinfo to confirm
that it really *IS* 'apache' user that's running apache/php.
As far as the sudo stuff goes, just be sure you give the PHP user as
LITTLE power as you can to get the job done.
To that end, I think the idea of the PHP user editing a copy of the files,
and then a cron job from root to double-check the files and copy them over
if they seem valid is the best solution.
You can even run all kinds of extra checks in the routine that checks the
syntax of the files.
For example, it's one thing for the .procmailrc to be valid syntax: But
you could add some extra PHP code to check for some very specific things
you do NOT want to happen. You could even check that the top part of the
files match and only a few (no more than X) new lines have been added by
PHP.
And you could check for specific things in the new lines, like 'root' if
you wanted to disallow somebody messing with 'root' account.
As many extra pieces of armour you can add to make SURE that the file is
being changed in the way you intended is good.
You can even intentionally write the code in a way that makes it easy for
you to add more checks.
Something as simple as:
if (...){
error_log(Hack attempt: trying to break sendmail with 'root' acces);
exit;
}
if (...){
error_log(Hack attempt: ...);
exit;
}
.
.
.
will let you add in new tests as they occur to you.
When you're done, put yourself in the shoes of a Bad Guy, and pretend your
worst enemy -- the person on this Earth you most dislike, has written this
code, and ask yourself: How can I break in to this? :-)
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] reading/writing files outside of web root
On Wednesday 09 February 2005 02:31, Richard Lynch wrote: Phil Ewington - 43 Plc wrote: For some reason user_prefs will not open for read/write even when I tested it under apache.apache and chmod'd to 755, perhaps because /home is owned by root? Something went wrong with this test. You SHOULD have been able to read/write that file in PHP, assuming 'apache' is the user PHP runs as. Use http://php.net/phpinfo to confirm that it really *IS* 'apache' user that's running apache/php. It *will* fail if apache has no access to $HOME! -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
