security question - small code review

pablogosse

Hi all. Currently I'm webmaster of a site where there are only a few users other than myself.

We're about to enable PHP (finally) and I've written the following in an attempt to restrict the use of PHP to only my user account.

$f = $HTTP_SERVER_VARS["PATH_TRANSLATED"];
define("u","webmstr");
define("owner",implode("",array_slice(posix_getpwuid(fileowner($f)),0,1)));define("group",implode("",array_slice(posix_getgrgid(filegroup($f)),0,1)));owner != u || group != u ? die("illegally accessed.  please go away.") : "";

I'm going to put this in a file outside of the webroot and then use that file as the value of auto_prepend_file in php.ini. Then whenever a php file is executed, it will check to see who it belongs to. If group and owner are both 'webmstr' it's okay, if not, the script will die.

Can anyone see any weakness in this, or have any other suggestions for achieving the same thing?

Thanks in advance,
Pablo

kidsleep

I'm not good enough to see any weaknesses in your code but I think I remember reading that $HTTP_SERVER_VARS was depriciated due to a security flaw(Someone please correct me if I'm mistaken) use $_SERVER for the variables unless you are using a version of php older than 4.1.0

MrAlaska

Originally posted by kidsleep
I'm not good enough to see any weaknesses in your code but I think I remember reading that $HTTP_SERVER_VARS was depriciated due to a security flaw(Someone please correct me if I'm mistaken) use $SERVER for the variables unless you are using a version of php older than 4.1.0

Actually, I think it was just the global use of variables that suffered security issues. HTTP_SERVER_VARS and $SERVER should be just as secure as each other (Somebody correct me if I am wrong). $HTTP_SERVER_VARS is treated a bit different by PHP than $_SERVER and is recommended if available. If there were security issues involved with the deprecation I would certainly like to know. Personally, I collect my variables at page load and declare them as needed, so the differences are not noticed by me (that I am aware, anyway)

I am not good enough to see any weaknesses in the code, either. The functions being used I am not familiar with, but I intend to check them out. I would now but I am on my way to dinner, and food is almost as important! When security issues are on the table, I like to learn everything I can.