Security question

pablogosse

Hi all. Security question.

I'm currently developing a PHP site which will be served from Oracle's 9IAS. My sysadmin is quite helpful, but is very concerned about security, and giving PHP the ability to write files.

He's given me the following analogy as to how Java ensures security when allowing servlets to access files on the filesystem:

"In Java there is the idea of a sandbox. If you are serving a Java servlet to someone on the web there is no way that the servlet can access files outside of that sandbox. This protects the server from unauthorized and unforseen file access."

Is there an equivalent to this in PHP?

The other option I'm putting forth is to chmod one directory on the server to a+w such that I could allow users to upload photos to that directory (my other option is to store them as BLOBs in a PostgreSQL db).

Does anyone have any opinions on the sanbox paradigm, and also on any security issues which might arise from allowing one directory on the server to be fully writeable?

Thanks in advance,
Pablo

weekender

i'd always assumed the following to be true...

i think php files can only control files in the web server directory, apart from sessions and temp files which are normally stored in the php directory (eg c:\php).

think this is correct...?

_SuperString

Im pretty sure thats true, the only way to access other files/directories on the sytem/network is using PHP to make a ftp connection (but that should be protected anyway).

its probably worth looking at this article on security issues. I just found it on a previous post titled 'safe mode or die'.

tha_mink

It really depends on the security of the server. Default PHP installations can do lots of stuff it shouldn't be allowed to do. And to a certain extent, the onus is on you to make sure that the files you have php create are checked for malisiousness before they get made. (for example if you are useing user uploaded data and displaying it without checking for bad code...a user could destroy your sandbox)

However...if the server is configured correctly and you create a directory owned by the webserver (lets hope it's not the "nobody" user or group) than php should stay in its sandbox. But I for one wish the security was tighter since you can work around the sandbox and get into other peoples sandboxes with the right commands and a username/password pair.

$sandbox = "/the_directory";
unlink($sandbox);
print "you are screwed";

Run the following code on your server to see if you are in your sandbox...

Safe Mode or Die

Sxooter

The closest you can get to a good sandbox in PHP is to use suexec in apache and safemode in php. then, the httpd daemon runs PHP as the owner of the directory it is run in, and safemode keeps it from getting out of it's box.

Technically, PHP running as httpd could do anything the httpd user could do, including writing files outside the standard web server directory.