PHP, UNIX, Permissions

Anon

Why is it that PHP scripts do not have authority to read and write to the file system unless I go in there manually and set the top directory to 777 ? How can this be changed? I feel that I should never need to have 777 directories on my system. Is this a correct assumption? I create directroies for new users and allow them to upload pictures, but I want to do the best I can at security so what is the best procedure for this?

Thanks

Anon

It looks like PHP runs as nobody. If a person wants to read and write to the file system with PHP, how can PHP be given higher permissions? SHOULD THIS BE DONE?

thanks

Anon

oh my god no. apache should always run on an unpriveleged acct... let's say you write this scrpipt:

<?php
system($foo);
?>

and i call the page as:

http://insecure?foo=halt

well, that's bad news. of course you would never write a script with such a hole in it...

Anon

If PHP creates directories and files, they are owned by 'nobody'. I create these under directories created at a logged in telnet session. So, how are these directories and files owned by nobody a security problem. Also, in order to make those, I had to set their parent directory to 777. I see that this is a hot issue on the web and that there is no solution except for some new model in apache 2.

Anon

Is there a security difference between a directory or file with nobody as the owner and set to 777 and a telnet logged in user made directory or file set to 777.

All I know is that I need php to make directories and copy files into them and that is forcing me to make the parent directory 777. Some people say never do that but what is the alternative?

Anon

The security problem arises when the Web server is granted permission to modify anything in the filesystem. The safe way to deal with this is to grant permission to the Web server to read/write only to a separate data directory, and not to the broader htdocs tree.

The best way to grant permission is to change the user or group ownership of the directory in question, and NOT to use mode 777 (which grants permission to all users). However, if you do not have root access, you may not be able to do that -- you can't change group ownership to a group of which you are not a member. And it is unlikely (but not impossible) that on a normally configured machine you will be a member of the same group as the Web server.

For CGI processes, it's possible for the root account to "wrap" a process so that it runs under a different user ID than the Web server. At my company, we do that as a matter of security policy. However, you do not have that option with PHP installed as a server module. This is not a limitation of PHP, but of the underlying security/operating system/Web server model.

Anon

okay, nobody is actually and account

cat /etc/passwd | grep nobody

shows this. so having a dir owned by nobody doesn't mean the dir is ownerless... if i make a dir called foo with ownership to nobody and perms of 700 only nobody and root can access it.

mkdir foo
chown -R nobody.nogroup foo
chmod -R 700 foo