[PHP] PHP permissions problem
My commercial host is set up with the public root directory, public_html, owned by user: userid, group: nobody. Directories I create within public_html are owned by user: userid, group: userid. As a result, PHP does not have permission to create files or write to files in public_html, but it does within its subdirectories. Is this a common setup? Are there security problems with changing the ownership of public_html to user: userid, group: userid so PHP can create files within the root directory? Advice, opinions, and links to relevant information are requested. PHP 4.3.2/Linux/Apache 1.3.28 -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP permissions problem
* Thus wrote Lowell Allen ([EMAIL PROTECTED]): My commercial host is set up with the public root directory, public_html, owned by user: userid, group: nobody. Directories I create within public_html are owned by user: userid, group: userid. As a result, PHP does not have permission to create files or write to files in public_html, but it does within its subdirectories. Is this a common setup? Are there security problems with changing the ownership of public_html to user: userid, group: userid so PHP can create files within the root directory? Advice, opinions, and links to relevant information are requested. I usually keep my writable directories outside the public_html directory. homedir/public_html/* All read only by webserver. homedir/private_data/* Make these files read/write Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP permissions problem
* Thus wrote Lowell Allen ([EMAIL PROTECTED]): My commercial host is set up with the public root directory, public_html, owned by user: userid, group: nobody. Directories I create within public_html are owned by user: userid, group: userid. As a result, PHP does not have permission to create files or write to files in public_html, but it does within its subdirectories. Is this a common setup? Are there security problems with changing the ownership of public_html to user: userid, group: userid so PHP can create files within the root directory? Advice, opinions, and links to relevant information are requested. I usually keep my writable directories outside the public_html directory. homedir/public_html/* All read only by webserver. homedir/private_data/* Make these files read/write Curt I should have explained that the setup is a problem because the site uses a content management system that updates a few static HTML pages -- the pages that get hit most often. The commercial host seems to have changed their standard setup so that my CMS can no longer update these pages since PHP no longer has permission to write to public_html. (I'll eventually get an explanation from the host. I find I have to email one simple question at a time.) I could change the permissions of public_html to 777, but that doesn't seem like a good idea. I could write the static files to a subdirectory, but that would require rewriting several output functions. Or I could ask the commercial host to change ownership of public_html to userid.userid. But is there a security problem with that? -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] php permissions
php is running on our box as nobody:nogroup. I'm trying to write php code that will edit/delete files uploaded to the server by other users, and, obviously, I get a permissions error. My sysadmin is hesitant to give php more access until I do some research about the security issues involved, and I am a relative newbie and I'm not sure what the issues are or how to find out more about them. How do I give php permissions to delete files etc., without opening up an security hole? Is this an issue at all? Help! Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php permissions
chown them to nobody. - Original Message - From: ROBERT MCPEAK [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 19, 2002 7:53 PM Subject: [PHP] php permissions php is running on our box as nobody:nogroup. I'm trying to write php code that will edit/delete files uploaded to the server by other users, and, obviously, I get a permissions error. My sysadmin is hesitant to give php more access until I do some research about the security issues involved, and I am a relative newbie and I'm not sure what the issues are or how to find out more about them. How do I give php permissions to delete files etc., without opening up an security hole? Is this an issue at all? Help! Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php permissions
On Friday, April 19, 2002, at 01:53 PM, ROBERT MCPEAK wrote: My sysadmin is hesitant to give php more access until I do some research about the security issues involved, and I am a relative newbie and I'm not sure what the issues are or how to find out more about them. How do I give php permissions to delete files etc., without opening up an security hole? Is this an issue at all? First hit at Google: http://www.w3.org/Security/Faq/ Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php permissions
How? Manually each time a file is uploaded? Or with PHP somehow? I appreciate your response, but perhaps I'm not clear enough. Isn't it quite common to have php creating/editing/deleting files on the server? How is this done in a secure manner? Could you explain further? Thanks. Dave Raven [EMAIL PROTECTED] 04/19/02 01:55PM chown them to nobody. - Original Message - From: ROBERT MCPEAK [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 19, 2002 7:53 PM Subject: [PHP] php permissions php is running on our box as nobody:nogroup. I'm trying to write php code that will edit/delete files uploaded to the server by other users, and, obviously, I get a permissions error. My sysadmin is hesitant to give php more access until I do some research about the security issues involved, and I am a relative newbie and I'm not sure what the issues are or how to find out more about them. How do I give php permissions to delete files etc., without opening up an security hole? Is this an issue at all? Help! Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php permissions
How? Manually each time a file is uploaded? Or with PHP somehow? I appreciate your response, but perhaps I'm not clear enough. Isn't it quite common to have php creating/editing/deleting files on the server? How is this done in a secure manner? Could you explain further? Well technically unless your admin is using the latest PHP updates, the server is already open to known exploits (albeit most are pretty difficult to recreate). Your admin is probably panicing as many others did when the exploits were announced they were mentioned as problems in the file upload routineshowever most people don't realize that these exploits were usable whether file uploading was used or not. In answer to your question the file upload system is fairly secure but you should never rely on it alone. When it initially uploads the file, the file is stored as a temporary name (so there's no way to execute code with a screwy filename). And although it shouldn't be an issue regardless, as long as you remove any fancy characters from the true filename before you store it in another area (anything not alphanumeric or a .) you should have no problems whatsoever. However as was mentioned before, assuming someone did manage to use the file upload system ...the worst damage one could do to a system would be to erase/modify files associated with the webserver username (or files with open permissions)...so really worse case scenario if your admin has done his job properly is one could manage to erase all the other php uploaded files if they found an exploit. Sincerely, Craig Vincent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php permissions
Craig, you seem very knowledgable and I appreciate your help. I confused matters by mentioning the word upload. I'm actually not using php to upload the files. The user ftps the files to the server, and the ownership permissions prevent php from manipulating the files. I'm looking for a clear answer on whether giving php permission, or setting the directory to nobody:nogroup, or whatever, poses a security threat. How can php be used to edit/delete files without opening a security hole? Bear with me, I think Im getting clearer. Craig Vincent [EMAIL PROTECTED] 04/19/02 03:07PM How? Manually each time a file is uploaded? Or with PHP somehow? I appreciate your response, but perhaps I'm not clear enough. Isn't it quite common to have php creating/editing/deleting files on the server? How is this done in a secure manner? Could you explain further? Well technically unless your admin is using the latest PHP updates, the server is already open to known exploits (albeit most are pretty difficult to recreate). Your admin is probably panicing as many others did when the exploits were announced they were mentioned as problems in the file upload routineshowever most people don't realize that these exploits were usable whether file uploading was used or not. In answer to your question the file upload system is fairly secure but you should never rely on it alone. When it initially uploads the file, the file is stored as a temporary name (so there's no way to execute code with a screwy filename). And although it shouldn't be an issue regardless, as long as you remove any fancy characters from the true filename before you store it in another area (anything not alphanumeric or a .) you should have no problems whatsoever. However as was mentioned before, assuming someone did manage to use the file upload system ...the worst damage one could do to a system would be to erase/modify files associated with the webserver username (or files with open permissions)...so really worse case scenario if your admin has done his job properly is one could manage to erase all the other php uploaded files if they found an exploit. Sincerely, Craig Vincent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php permissions
On Friday, April 19, 2002, at 02:44 PM, ROBERT MCPEAK wrote: Isn't it quite common to have php creating/editing/deleting files on the server? How is this done in a secure manner? Running Apache/PHP as 'nobody' isn't really that secure, since there may be other services running on the system that run as 'nobody'. The more services that are run under an account, the more open to an attack and therefore compromise that account becomes. Tell your sysadmin that they should create a user called www or Apache or something as a dedicated web server user. Then, you can make this user a member of group phpusers or something like that. Each trusted user on the system can also be made a member of group phpusers, so that they can make files accessible to the www or apache user without having access to files owned by www or apache. There's a lot to it -- did you read through that FAQ I sent you? It's not as simple as posting a question to a mailing list -- there are books devoted to this very topic. (Don't feel bad, I asked the same thing once on another mailing list, and I'm still learning about the many ways a system needs to be secured.) It's like the Force -- if you try to take the easy route, the Dark side, sure, you can get your files on the web quickly and easily. You can DO just about anything. But you leave yourself open to exploitation by other users of the Dark side. However, if you invest a lot of time and effort (A LOT) into your Jedi training, you can continually learn how to secure your system or write clean code or normalize your database tables until 900 years old you reach. Erik (another Jedi student) Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
