Hi,
On Thu, 24 Nov 2005 14:12:32 -0800
Rasmus Lerdorf <[EMAIL PROTECTED]> wrote:
> > Well, safe_mode could prevent someone of doing a
> > shell_exec("cat /home/otheruser/web/config.php");
> > open_basedir can't do the same thing.
> We were in a continual losing race against that sort of thing though.
> In pretty much every single release there have been ways to do this that
> got around safe-mode.
This is not about safe_mode, but open_basedir - what is the purpose of
open_basedir restriction if it is easily circumvented using shell
commands?
> I have always maintained that shared hosts should be running
> per-security context Apache instances as different users. That's the
> only way to truly keep things secure. If you have everyone executing
> things as the same user id you will never truly separate the security
> contexts. Failing that, shared hosts should be looking at per-user fastcgi.
Just to summarize: this approach would require that each user's scripts
would be non-world-readable and only readable by the owner. That way
users can't peak in other users' source code.
But again, what is the purpose of open_basedir() here?
Furthermore, I might want to keep some of the security by running the
php by some other user than the owner. Otherwise e.g. a poor
"file_put_contents()" script might overwrite existing scripts. Of course
it is a bad thing if scripts aren't secure, but at least one wouldn't
risk getting all existing files wiped or modified if the php user isn't
the same as the owner.
This "other user" should not be the same for all users. A method could
be creating individual wwwuser users for every user.
E.g. for the user "penguin" another user "penguin_www" could be created
and added to the "penguin" group. PHP files could be chmod'ed 640.
"penguin_www" would be able to read and run the script (as the files
have group read), but not being able to write/modify files or create new
files. Other users wouldn't be able to read the files belonging to
"penguin".
This might be out of scope for php, but as a recommended setup I think
it would be fair to provide hints for general setup.
(and once again, I agree that safe_mode is not safe, it is a poor
functionality as it suggests magic instead of easy understandable
features, it gives users headaches with UID matching)
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
