Today I found a problem, when I wrote a section of PHP code like this:
<?php
$fp = fopen("/etc/passwd","r");
if($fp)
{
echo 'ok!';
$result = fread($fp,
8192);
return $result;
echo $result;
}
else
{
echo 'no!';
}
?>
I found that it realy can read the passwd file! I'm not very familiar
with PHP, so I don't know is there any configuration options to limit
this behavior(in php.ini)? I think it isn't the apache problem, so it
do no favor to modify httpd.conf, is it?
I googled and get some infomation like 'open_basedir' parameter. But
my LAMP sites have many virtual host, every host blongs to different
user, his/her 'DocumentRoot' belongs to a system user like this:
ls /www/users -l
drwx--x--x 17 user_elnzpjps ftpd 4096 Mar 13 16:42 test11.com
So I think it is not a good idea to make open_basedir to be 'www/
users', because it's a problem when one user can read the files of
another.
So, what is the resolution?
Thank you.
3  11262 
Rocky Zhou schrieb:
Today I found a problem, when I wrote a section of PHP code like this:
<?php
$fp = fopen("/etc/passwd","r");
if($fp)
{
echo 'ok!';
$result = fread($fp,
8192);
return $result;
echo $result;
}
else
{
echo 'no!';
}
?>
I found that it realy can read the passwd file! I'm not very familiar
with PHP, so I don't know is there any configuration options to limit
this behavior(in php.ini)? I think it isn't the apache problem, so it
do no favor to modify httpd.conf, is it?
I googled and get some infomation like 'open_basedir' parameter. But
my LAMP sites have many virtual host, every host blongs to different
user, his/her 'DocumentRoot' belongs to a system user like this:
ls /www/users -l
drwx--x--x 17 user_elnzpjps ftpd 4096 Mar 13 16:42 test11.com
So I think it is not a good idea to make open_basedir to be 'www/
users', because it's a problem when one user can read the files of
another.
So, what is the resolution?
Thank you.
You can define a different open_basedir for every VirtualHost.
<VirtualHost xxx.xxx.xxx.xxx :xx>
ServerName www.domain.de
DocumentRoot /var/www/domain/
User user
Group group
php_admin_value open_basedir /var/www/domain/
</VirtualHost>
Rocky Zhou wrote:
I found that it realy can read the passwd file!
Yep, it is normal that /etc/passwd is globally readable on Linux/UNIX
systems. If it could not be read by all processes, they'd be unable to map
between numeric UIDs and usernames -- this would negatively effect common
utilities like "ps" and "ls".
This might *sound* like a security problem, but traditionally passwords in
/etc/passwd are stored in an encrypted format using the "crypt" algorithm.
Whatsmore, most modern distributions no longer keep passwords in
/etc/passwd, but keep it in /etc/shadow instead, which has tighter
security -- /etc/passwd just holds less sensitive information, such as
usernames, UIDs, default group, home directory path, default shell and
so on.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I'm getting there!
Thank you. It works.
On 3ÔÂ21ÈÕ, ÏÂÎç8ʱ40·Ö, Mike Roetgers <miker...@infor matik.uni-bremen.de>
wrote:
Rocky Zhou schrieb:
Today I found a problem, when I wrote a section of PHP code like this:
<?php
$fp = fopen("/etc/passwd","r");
if($fp)
{
echo 'ok!';
$result = fread($fp,
8192);
return $result;
echo $result;
}
else
{
echo 'no!';
}
?>
I found that it realy can read the passwd file! I'm not very familiar
with PHP, so I don't know is there any configuration options to limit
this behavior(in php.ini)? I think it isn't the apache problem, so it
do no favor to modify httpd.conf, is it?
I googled and get some infomation like 'open_basedir' parameter. But
my LAMP sites have many virtual host, every host blongs to different
user, his/her 'DocumentRoot' belongs to a system user like this:
ls /www/users -l
drwx--x--x 17 user_elnzpjps ftpd 4096 Mar 13 16:42 test11.com
So I think it is not a good idea to make open_basedir to be 'www/
users', because it's a problem when one user can read the files of
another.
So, what is the resolution?
Thank you.
You can define a different open_basedir for every VirtualHost.
<VirtualHost xxx.xxx.xxx.xxx :xx>
ServerNamewww.d omain.de
DocumentRoot /var/www/domain/
User user
Group group
php_admin_value open_basedir /var/www/domain/
</VirtualHost>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: dave |
last post by:
Hello,
I've got a php script that is trying to authenticate a user against a
rh9 /etc/passwd file. The passwd file has permissions of 444 but when i try
to log in i am being redirected to my error page with the error invalid
username or password. I have confirmed that the user in question can
manually log in to the system so i know the credentials are correct. My only
idea has been that the password uses special symbols a dollar sign for...
|
by: Litening |
last post by:
Hi
Can someone please supply me with a program (perhaps the C source)
that authenticates a user on AIX (against the password/shadow/security
file(s))?
So far I have the following from IBM, but I don't know how to
implement it (I'm not really a programmer):
_______________________
|
by: Gelios |
last post by:
Hello All!
I am going to crazy and feeling myself so stupid but I don't understand such behaviour.
I have code:
public int getNextAgentId()
{
Int32 agent_id = 0;
IDataReader dr = dbap.DBDataReader("SELECT MAX(agent_id) FROM Agents");
if(dr.Read())
{
agent_id = dr.GetInt32(0);
|
by: anaik100 |
last post by:
am trying to run a java db2 program. my db2 is in os/390.
below is the code
public class T4DB2Connect {
public static void main(String args) {
try {
// load the DB2 Driver
System.out.println("1" );
Class.forName("COM.ibm.db2os390.sqlj.jdbc.DB2SQLJDriver");
|
by: sathyashrayan |
last post by:
Dear group,
For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with
$passwd = sha1($_REQUEST);
I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
| | |
by: seshu1234 |
last post by:
hai ,
i want to read username and passwd with perl/tk
i got user name by getlogin() function
but for passwd not getting
i am working in windows os getpwnam(),getpwuid(),..not working in windows
plz help me
|
by: kaps |
last post by:
Hi,
How do I read data from perl socket.
I tried these three methods in bold but nothing worked.
use strict;
use IO::Socket;
use HTTP::Request::Common;
use LWP::UserAgent;
|
by: Lekh Raj |
last post by:
Hi,
I want to update dbm cfg parameters DFT_MON_BUFPOOL and
DFT_MON_STMT from C program. I am using db2 version 9.1.2 on Linux
platform
When I use
"db2 update dbm cfg using DFT_MON_BUFPOOL ON DFT_MON_STMT ON"
command for this purpose "db2 get dbm cfg show detail" command
reflects changes in both current and delayed values of DFT_MON_BUFPOOL
and DFT_MON_STMT immediately.
|
by: BlackjadeLin |
last post by:
I'm new to python
I want to write a simple script to switch user,for example,from user_A
to user_B.
This my codes:
#!/usr/bin/python
import pexpect
import os
passwd="user_B"
child = pexpect.spawn('su user_B')
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
