Hi all
I need to write a script which overwrites certain .php files in the current
directory. Running as www user, I get a Permission denied on fopen.
Obviously, I could CHMOD all files to allow for writing of the www group.
However, I guess this would be quite a security flaw, so here's what I'd
like to do:
Change "running" user from www to root (or any other user), do fopen /
fwrite / fclose, change user back.
(How) Can I do this with PHP?
Thanks a lot
Simon
4  9363 
>I need to write a script which overwrites certain .php files in the current directory.
This objective by itself is a significant security issue.
It greatly increases the possible damage.
Are you sure you can't put this data in a database?
Running as www user, I get a Permission denied on fopen.
Obviously, I could CHMOD all files to allow for writing of the www group.
However, I guess this would be quite a security flaw, so here's what I'd
like to do:
Change "running" user from www to root (or any other user), do fopen /
fwrite / fclose, change user back.
If that was allowed, there'd be no security at all.
The OS doesn't let PHP change users like that (it is NOT
recommended that you run PHP or Apache as root).
In UNIX the way to accomplish this is running a setuid program.
This has to be done very carefully. If you make it too general,
you're erasing the distinction between users.
Gordon L. Burditt
Hi Gordon
Thanks for your input. My script is a deployment-tool which does the
following:
- Get the current revision of a web application out of Subversion (a version
control system)
- Write the retrieved .php, .js etc files into wwwroot
So, the files unfortunately can't be in a database.
Simon
"Gordon Burditt" <go***********@burditt.org> wrote in message
news:12*************@corp.supernews.com... I need to write a script which overwrites certain .php files in the
current
directory.
This objective by itself is a significant security issue.
It greatly increases the possible damage.
Are you sure you can't put this data in a database?
Running as www user, I get a Permission denied on fopen.
Obviously, I could CHMOD all files to allow for writing of the www group.
However, I guess this would be quite a security flaw, so here's what I'd
like to do:
Change "running" user from www to root (or any other user), do fopen /
fwrite / fclose, change user back.
If that was allowed, there'd be no security at all.
The OS doesn't let PHP change users like that (it is NOT
recommended that you run PHP or Apache as root).
In UNIX the way to accomplish this is running a setuid program.
This has to be done very carefully. If you make it too general,
you're erasing the distinction between users.
Gordon L. Burditt
On Mon, 27 Feb 2006 09:22:10 +0100, "Simon Niederberger"
<si***@sincore.ch> wrote: Hi Gordon
Thanks for your input. My script is a deployment-tool which does the
following:
- Get the current revision of a web application out of Subversion (a version
control system)
- Write the retrieved .php, .js etc files into wwwroot
So, the files unfortunately can't be in a database.
Simon
"Gordon Burditt" <go***********@burditt.org> wrote in message
news:12*************@corp.supernews.com... >I need to write a script which overwrites certain .php files in the
>current
directory.
This objective by itself is a significant security issue.
It greatly increases the possible damage.
Are you sure you can't put this data in a database?
Running as www user, I get a Permission denied on fopen.
Obviously, I could CHMOD all files to allow for writing of the www group.
However, I guess this would be quite a security flaw, so here's what I'd
like to do:
Change "running" user from www to root (or any other user), do fopen /
fwrite / fclose, change user back.
If that was allowed, there'd be no security at all.
The OS doesn't let PHP change users like that (it is NOT
recommended that you run PHP or Apache as root).
In UNIX the way to accomplish this is running a setuid program.
This has to be done very carefully. If you make it too general,
you're erasing the distinction between users.
Gordon L. Burditt
Simon,
A similar situation was brought up recently in this newsgroup. I'll
suggest now what I suggested then: the FTP functions of PHP. It may
at least address the issue of permissions, but may also have its own
security problems (userid / password in plaintext, etc.).
heyster
My solution was this:
Access file via local FTP. This will set the owner / group according to the
FTP login. Obviously, this requires FTP access to the file location.
Simon
"Simon Niederberger" <si***@sincore.ch> wrote in message
news:44******@news201.datazug.ch... Hi all
I need to write a script which overwrites certain .php files in the
current directory. Running as www user, I get a Permission denied on
fopen. Obviously, I could CHMOD all files to allow for writing of the www
group. However, I guess this would be quite a security flaw, so here's
what I'd like to do:
Change "running" user from www to root (or any other user), do fopen /
fwrite / fclose, change user back.
(How) Can I do this with PHP?
Thanks a lot
Simon This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Asker |
last post by:
I heard PHP hard coded useragent in several places. It sucks, unlike Perl
which you can enter anything. It is even worse than Wget.
I wonder if PHP5 allows User Agent changes now, because it...
|
by: typingcat |
last post by:
Is it possible to read another web page in PHP?
If is ASP.NET, the code would be
------------
WebRequest req=WebRequest.Create("http://www.microsoft.com");
WebResponse res=req.GetResponse();...
|
by: Don Pasquale |
last post by:
The following function intends to delete "numberoflines" lines from a text
file, named "s" (string pointer) and pointed to by file pointer "fp", starting
from line "line".
Now, the function...
|
by: Grocery Clerk |
last post by:
I know open() returns a file descriptor and fopen() returns a pointer
to FILE. The question is, when do I use fopen() and when do I use
open()? Could someone give me an example when to use one...
|
by: Blue |
last post by:
Hi ,
Can any one please let me explain me the diffrences between "open"/
"fopen" or "read"/"fread" or "write/fwrite".
I know that "open" /"read" / "write" are system calls and "fopen"...
|
by: pjlsr |
last post by:
It's close to twenty years since I used the C language and at that time
I was doing only floating point computational work, nothing with
strings or reading files. I tried to use fopen in the...
|
by: subramanian100in |
last post by:
Consider the following program:
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv)
{
if (argc != 2)
{
printf("Usage: <program-name<text-file>\n");
|
by: hstagni |
last post by:
Where can I find a library to created text-based windows applications?
Im looking for a library that can make windows and buttons inside
console.. Many old apps were make like this, i guess
...
|
by: mikek12004 |
last post by:
I have an xml written in a file. I want in the 1st line
<code>
<?xml version="1.0" encoding="iso-88-59-7"?>
</code>
to change the encoding to utf-8 any easy way to do that?
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
