PHP directory security - reading other people's files
Hello everyone. I have a question related to PHP (and other web scripting language) security:
I am running a webserver (virtual hosts) hosting several websites. This server is running Apache2 and PHP.
I have found that I can create a very simple one-line PHP script and look at any file on the server with world-readable permissions. OK, fine. But what if I don't want other people reading a PHP script that I wrote? I can't remove the world-readable bit or apache won't run it.
Here's an example
I create a file "test.php" containing the following line:
<?php echo `cat /etc/passwd`; ?>
I upload this into the public_html directory on one of my websites, then from a browser I open this file: sitename/test.php
Voila: I see the entire /etc/passwd file. Isn't this a security risk???
Now the problem appears here:
I have two different websites running (virtual hosts). If on site 'A' I create this test.php script, I can potentially read any .php files in site 'B's public_html directory. But if I chmod 640 the php files in site 'B's directory, they will no longer execute, because Apache doesn't have permission to read them.
I have tried putting the 'apache' user in the same group as these sites' owners, but nothing happens. It still can't access the files if they are chmod 640.
I created another script:
<?php echo `whoami`; ?>
When I run this script, the output is "apache". That means the "apache" user is the one trying to access the files, right? So why can't I put the "apache" user in the same group as the owner of the files, then set the access mask to 640?
I modified /etc/group by adding the username 'apache' on the end of the website owner's group name.
...
websiteownergroup:x:1234:apache
Then by running 'groups apache' it outputs the following:
apache : apache websiteownergroup
ls -l gives the following output:
-rw-r----- 1 websiteowner websiteownergroup xx Mar xx xx:xx test.php
Shouldn't this give access to apache to a file with group 'websiteownergroup' and permission mask 640?
What on earth am I missing here???
Thank you!
Last edited by krasl; 03-11-2006 at 06:49 PM.
|