[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] php security..
- Subject: RE: [cobalt-security] php security..
- From: "Chris Burton" <chris@xxxxxxxxxxxxxxxxxx>
- Date: Sat, 30 Jun 2001 12:44:17 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
when providing php you have two basic ways of doing it.
1) CGI which you can suexec (or other) and run as an actual site user.
2) apache module. This is the way it is used on the RAQs and many many other
sites.
The module is faster and also allows advanced features that would not be
possible with just the CGI version.
But the downside is "security", on my RAQ3 httpd runs as its own user, and
all other users make files readable by the world to enable the web server to
see the files (even if you could only make them readable by httpd it wouldnt
help). The problem occurs because the php is run as the owner of the httpd
daemon, and as such needs to be able to read all the files the web server
serves.
When running a PHP script such as this, you will see what the http user can
see, i.e. anything thats readable by the world, or the httpd user itself.
This really isnt php security at all, it is the way things are with web
servers. A more important issue might be that on a RAQ with multiple users
if they have say a php script that can talk to a DB and has a password in
the php file, this must be readable by the http daemon, which in turn makes
it readable by any other site user that runs a php script and looks in their
filespace. The fact that its PHP doesnt really matter, if you give a user
shell they will also be able to see all files readable by the world/that
user.
To be honest I dont think you will find a "usefull" or "viable" sollution to
this problem. I have managed to hide passwords by "magicing" them into PHP
for each site. But this still doesnt stop other site users from reading all
of the php/html files.
Maybe you can have a per site php config, but I've never seen one in the
real world, also you would need to stop some php functions like system,
otherwise it wouldnt help the issue. Hopefully me and a few other people
I've talked to on this issue have missed something and its been staring us
in the face all the time.
Yours,
ChrisB.