LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-11-2006, 06:12 PM   #1
krasl
Member
 
Registered: Nov 2005
Distribution: Fedora 4
Posts: 40

Rep: Reputation: 15
PHP directory security - reading other people's files


Hello everyone. I have a question related to PHP (and other web scripting language) security:

I am running a webserver (virtual hosts) hosting several websites. This server is running Apache2 and PHP.

I have found that I can create a very simple one-line PHP script and look at any file on the server with world-readable permissions. OK, fine. But what if I don't want other people reading a PHP script that I wrote? I can't remove the world-readable bit or apache won't run it.

Here's an example
I create a file "test.php" containing the following line:
<?php echo `cat /etc/passwd`; ?>

I upload this into the public_html directory on one of my websites, then from a browser I open this file: sitename/test.php
Voila: I see the entire /etc/passwd file. Isn't this a security risk???

Now the problem appears here:
I have two different websites running (virtual hosts). If on site 'A' I create this test.php script, I can potentially read any .php files in site 'B's public_html directory. But if I chmod 640 the php files in site 'B's directory, they will no longer execute, because Apache doesn't have permission to read them.

I have tried putting the 'apache' user in the same group as these sites' owners, but nothing happens. It still can't access the files if they are chmod 640.

I created another script:
<?php echo `whoami`; ?>

When I run this script, the output is "apache". That means the "apache" user is the one trying to access the files, right? So why can't I put the "apache" user in the same group as the owner of the files, then set the access mask to 640?
I modified /etc/group by adding the username 'apache' on the end of the website owner's group name.
...
websiteownergroup:x:1234:apache

Then by running 'groups apache' it outputs the following:
apache : apache websiteownergroup

ls -l gives the following output:
-rw-r----- 1 websiteowner websiteownergroup xx Mar xx xx:xx test.php

Shouldn't this give access to apache to a file with group 'websiteownergroup' and permission mask 640?

What on earth am I missing here???

Thank you!

Last edited by krasl; 03-11-2006 at 06:49 PM.
 
Old 03-11-2006, 07:08 PM   #2
krasl
Member
 
Registered: Nov 2005
Distribution: Fedora 4
Posts: 40

Original Poster
Rep: Reputation: 15
OK. I discovered that in the /etc/php.ini file, setting safe_mode = On prevents much of this. But it still seems that there is a big hole here. What if I allowed users to SSH into the server? (which I don't, by the way...) They would be permitted to view other users' files because if the world-readable bit is turned off, apache can't access the files.
I must be really dense, but it seems like you could just put the 'apache' user into the same group as the file owner, and give group-read permission to the file. But this doesn't work.

Any advice appreciated!!!
 
Old 03-16-2006, 08:36 AM   #3
krasl
Member
 
Registered: Nov 2005
Distribution: Fedora 4
Posts: 40

Original Poster
Rep: Reputation: 15
Does anyone have any insight here?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PHP: List files in directory, exclude backups kenneho Programming 2 12-30-2005 05:27 AM
Deleting unwanted files from any directory without reading each Karthikeyan Gurusamy Linux - Newbie 3 12-24-2005 02:48 AM
what is the function for reading a directory name mili Programming 2 08-01-2005 11:20 AM
[c++]Reading directory hylke Programming 2 05-23-2004 07:09 AM
suggested reading on linux security nakkaya Linux - Security 3 02-21-2003 06:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration