Re: [PHP] restricting filesystem access
On Mon, March 31, 2008 3:21 am, Hamar Gábor wrote: I am a new php user and I have a question, for which I couldn't find any answer. I'd like to restrict php code to access the filesystem. I'd like to have only one directory where the php code can write, create or read files, and an other directory hierarchy where the php codes present. I need this to avoid php code to rewrite other php code in case of bug and/or an attack. I already tried the open_basedir directive, but it couldn't work because in this case the executed php have to be in the accessable directory hierarchy. PHP runs as the Apache user. chown/chmod the source files to not be writable by that user. Problem solved. No real PHP trick here. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] restricting filesystem access
On Tue, Apr 1, 2008 at 10:04 AM, Richard Lynch [EMAIL PROTECTED] wrote: PHP runs as the Apache user. chown/chmod the source files to not be writable by that user. Problem solved. Let's not ignore phpSuExec or suhosin, which are fast-becoming standard. If I'm not mistaken, they're even the defaults for cPanel/Plesk and others now, too. -- /Daniel P. Brown Forensic Services, Senior Unix Engineer 1+ (570-) 362-0283 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] restricting filesystem access
I'd like to restrict php code to access the filesystem. I'd like to have only one directory where the php code can write, create or read files, and an other directory hierarchy where the php codes present. I need this to avoid php code to rewrite other php code in case of bug and/or an attack. I already tried the open_basedir directive, but it couldn't work because in this case the executed php have to be in the accessable directory hierarchy. Thanks, Gabor it depends, if you run your own server (you have root password). then you can do something about this. but if you run on shared server, i don't think you have a lot of options. if you afraid the php code to rewrite other code (rare case). just chmod all the php files to 644.
Re: [PHP] restricting filesystem access
Hi, Thank you for the answer. I am running my site on a shared server, but I can overwrite the options in the php.ini file. Unfortunately php runs as my user, so changing the permissions to 644 doesn't work, php is still able to write anything. Gabor 2008. 03. 31, hétfő keltezéssel 16.51-kor paragasu ezt írta: I'd like to restrict php code to access the filesystem. I'd like to have only one directory where the php code can write, create or read files, and an other directory hierarchy where the php codes present. I need this to avoid php code to rewrite other php code in case of bug and/or an attack. I already tried the open_basedir directive, but it couldn't work because in this case the executed php have to be in the accessable directory hierarchy. Thanks, Gabor it depends, if you run your own server (you have root password). then you can do something about this. but if you run on shared server, i don't think you have a lot of options. if you afraid the php code to rewrite other code (rare case). just chmod all the php files to 644. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] restricting filesystem access
Thank you for the answer. I am running my site on a shared server, but I can overwrite the options in the php.ini file. Unfortunately php runs as my user, so changing the permissions to 644 doesn't work, php is still able to write anything. Gabor ok.. your hosting enable the php suexec. i afraid there is not much you can do to modified the php.ini. you may use ini_set() or the .htaccess to override the value anyway. one thing you can do. sanitize input and make sure you code good :p
Re: [PHP] restricting filesystem access
On Mon, Mar 31, 2008 at 4:21 AM, Hamar Gábor [EMAIL PROTECTED] wrote: Hi, I am a new php user and I have a question, for which I couldn't find any answer. I'd like to restrict php code to access the filesystem. I'd like to have only one directory where the php code can write, create or read files, and an other directory hierarchy where the php codes present. I need this to avoid php code to rewrite other php code in case of bug and/or an attack. Are you saying that you want to use one file to allow people to write to your server without allowing them to overwrite other files? Try creating a directory, chmod 777 if needed, and then in your write routing, disallow periods (.), slashes (/), backslashes (\), et cetera. And you may also want to look into escapeshellarg() and escapeshellcmd() depending on your code. You can also chmod the directory and all files within where the PHP files are located to 644, which will disallow writing if Apache isn't running suExec. -- /Daniel P. Brown Forensic Services, Senior Unix Engineer 1+ (570-) 362-0283 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php