By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
445,909 Members | 2,016 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 445,909 IT Pros & Developers. It's quick & easy.

Change user for fopen

P: n/a
Hi all

I need to write a script which overwrites certain .php files in the current
directory. Running as www user, I get a Permission denied on fopen.
Obviously, I could CHMOD all files to allow for writing of the www group.
However, I guess this would be quite a security flaw, so here's what I'd
like to do:

Change "running" user from www to root (or any other user), do fopen /
fwrite / fclose, change user back.

(How) Can I do this with PHP?

Thanks a lot
Simon
Feb 26 '06 #1
Share this Question
Share on Google+
4 Replies


P: n/a
>I need to write a script which overwrites certain .php files in the current
directory.
This objective by itself is a significant security issue.
It greatly increases the possible damage.
Are you sure you can't put this data in a database?
Running as www user, I get a Permission denied on fopen.
Obviously, I could CHMOD all files to allow for writing of the www group.
However, I guess this would be quite a security flaw, so here's what I'd
like to do:

Change "running" user from www to root (or any other user), do fopen /
fwrite / fclose, change user back.


If that was allowed, there'd be no security at all.
The OS doesn't let PHP change users like that (it is NOT
recommended that you run PHP or Apache as root).

In UNIX the way to accomplish this is running a setuid program.
This has to be done very carefully. If you make it too general,
you're erasing the distinction between users.

Gordon L. Burditt

Feb 26 '06 #2

P: n/a
Hi Gordon

Thanks for your input. My script is a deployment-tool which does the
following:

- Get the current revision of a web application out of Subversion (a version
control system)
- Write the retrieved .php, .js etc files into wwwroot

So, the files unfortunately can't be in a database.

Simon

"Gordon Burditt" <go***********@burditt.org> wrote in message
news:12*************@corp.supernews.com...
I need to write a script which overwrites certain .php files in the
current
directory.


This objective by itself is a significant security issue.
It greatly increases the possible damage.
Are you sure you can't put this data in a database?
Running as www user, I get a Permission denied on fopen.
Obviously, I could CHMOD all files to allow for writing of the www group.
However, I guess this would be quite a security flaw, so here's what I'd
like to do:

Change "running" user from www to root (or any other user), do fopen /
fwrite / fclose, change user back.


If that was allowed, there'd be no security at all.
The OS doesn't let PHP change users like that (it is NOT
recommended that you run PHP or Apache as root).

In UNIX the way to accomplish this is running a setuid program.
This has to be done very carefully. If you make it too general,
you're erasing the distinction between users.

Gordon L. Burditt

Feb 27 '06 #3

P: n/a
On Mon, 27 Feb 2006 09:22:10 +0100, "Simon Niederberger"
<si***@sincore.ch> wrote:
Hi Gordon

Thanks for your input. My script is a deployment-tool which does the
following:

- Get the current revision of a web application out of Subversion (a version
control system)
- Write the retrieved .php, .js etc files into wwwroot

So, the files unfortunately can't be in a database.

Simon

"Gordon Burditt" <go***********@burditt.org> wrote in message
news:12*************@corp.supernews.com...
>I need to write a script which overwrites certain .php files in the
>current
directory.


This objective by itself is a significant security issue.
It greatly increases the possible damage.
Are you sure you can't put this data in a database?
Running as www user, I get a Permission denied on fopen.
Obviously, I could CHMOD all files to allow for writing of the www group.
However, I guess this would be quite a security flaw, so here's what I'd
like to do:

Change "running" user from www to root (or any other user), do fopen /
fwrite / fclose, change user back.


If that was allowed, there'd be no security at all.
The OS doesn't let PHP change users like that (it is NOT
recommended that you run PHP or Apache as root).

In UNIX the way to accomplish this is running a setuid program.
This has to be done very carefully. If you make it too general,
you're erasing the distinction between users.

Gordon L. Burditt


Simon,

A similar situation was brought up recently in this newsgroup. I'll
suggest now what I suggested then: the FTP functions of PHP. It may
at least address the issue of permissions, but may also have its own
security problems (userid / password in plaintext, etc.).

heyster
Feb 27 '06 #4

P: n/a
My solution was this:

Access file via local FTP. This will set the owner / group according to the
FTP login. Obviously, this requires FTP access to the file location.

Simon

"Simon Niederberger" <si***@sincore.ch> wrote in message
news:44******@news201.datazug.ch...
Hi all

I need to write a script which overwrites certain .php files in the
current directory. Running as www user, I get a Permission denied on
fopen. Obviously, I could CHMOD all files to allow for writing of the www
group. However, I guess this would be quite a security flaw, so here's
what I'd like to do:

Change "running" user from www to root (or any other user), do fopen /
fwrite / fclose, change user back.

(How) Can I do this with PHP?

Thanks a lot
Simon

Mar 6 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.