473,396 Members | 1,810 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > php program can read /etc/passwd?

Join Bytes to post your question to a community of 473,396 software developers and data experts.

php program can read /etc/passwd?

Today I found a problem, when I wrote a section of PHP code like this:

<?php
$fp = fopen("/etc/passwd","r");
if($fp)
{
echo 'ok!';
$result = fread($fp,
8192);
return $result;
echo $result;
}
else
{
echo 'no!';
}
?>

I found that it realy can read the passwd file! I'm not very familiar
with PHP, so I don't know is there any configuration options to limit
this behavior(in php.ini)? I think it isn't the apache problem, so it
do no favor to modify httpd.conf, is it?

I googled and get some infomation like 'open_basedir' parameter. But
my LAMP sites have many virtual host, every host blongs to different
user, his/her 'DocumentRoot' belongs to a system user like this:
ls /www/users -l
drwx--x--x 17 user_elnzpjps ftpd 4096 Mar 13 16:42 test11.com
So I think it is not a good idea to make open_basedir to be 'www/
users', because it's a problem when one user can read the files of
another.

So, what is the resolution?

Thank you.

Mar 21 '07 #1
3 11186
Rocky Zhou schrieb:
Today I found a problem, when I wrote a section of PHP code like this:

<?php
$fp = fopen("/etc/passwd","r");
if($fp)
{
echo 'ok!';
$result = fread($fp,
8192);
return $result;
echo $result;
}
else
{
echo 'no!';
}
?>

I found that it realy can read the passwd file! I'm not very familiar
with PHP, so I don't know is there any configuration options to limit
this behavior(in php.ini)? I think it isn't the apache problem, so it
do no favor to modify httpd.conf, is it?

I googled and get some infomation like 'open_basedir' parameter. But
my LAMP sites have many virtual host, every host blongs to different
user, his/her 'DocumentRoot' belongs to a system user like this:
ls /www/users -l
drwx--x--x 17 user_elnzpjps ftpd 4096 Mar 13 16:42 test11.com
So I think it is not a good idea to make open_basedir to be 'www/
users', because it's a problem when one user can read the files of
another.

So, what is the resolution?

Thank you.
You can define a different open_basedir for every VirtualHost.
<VirtualHost xxx.xxx.xxx.xxx:xx>
ServerName www.domain.de
DocumentRoot /var/www/domain/
User user
Group group
php_admin_value open_basedir /var/www/domain/
</VirtualHost>
Mar 21 '07 #2
Rocky Zhou wrote:
I found that it realy can read the passwd file!
Yep, it is normal that /etc/passwd is globally readable on Linux/UNIX
systems. If it could not be read by all processes, they'd be unable to map
between numeric UIDs and usernames -- this would negatively effect common
utilities like "ps" and "ls".

This might *sound* like a security problem, but traditionally passwords in
/etc/passwd are stored in an encrypted format using the "crypt" algorithm.
Whatsmore, most modern distributions no longer keep passwords in
/etc/passwd, but keep it in /etc/shadow instead, which has tighter
security -- /etc/passwd just holds less sensitive information, such as
usernames, UIDs, default group, home directory path, default shell and
so on.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!
Mar 21 '07 #3
Thank you. It works.

On 3ÔÂ21ÈÕ, ÏÂÎç8ʱ40·Ö, Mike Roetgers <miker...@informatik.uni-bremen.de>
wrote:
Rocky Zhou schrieb:
Today I found a problem, when I wrote a section of PHP code like this:
<?php
$fp = fopen("/etc/passwd","r");
if($fp)
{
echo 'ok!';
$result = fread($fp,
8192);
return $result;
echo $result;
}
else
{
echo 'no!';
}
?>
I found that it realy can read the passwd file! I'm not very familiar
with PHP, so I don't know is there any configuration options to limit
this behavior(in php.ini)? I think it isn't the apache problem, so it
do no favor to modify httpd.conf, is it?
I googled and get some infomation like 'open_basedir' parameter. But
my LAMP sites have many virtual host, every host blongs to different
user, his/her 'DocumentRoot' belongs to a system user like this:
ls /www/users -l
drwx--x--x 17 user_elnzpjps ftpd 4096 Mar 13 16:42 test11.com
So I think it is not a good idea to make open_basedir to be 'www/
users', because it's a problem when one user can read the files of
another.
So, what is the resolution?
Thank you.

You can define a different open_basedir for every VirtualHost.
<VirtualHost xxx.xxx.xxx.xxx:xx>
ServerNamewww.domain.de
DocumentRoot /var/www/domain/
User user
Group group
php_admin_value open_basedir /var/www/domain/
</VirtualHost>

Mar 22 '07 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
authenticating against /etc/passwd
by: dave | last post by:
Hello, I've got a php script that is trying to authenticate a user against a rh9 /etc/passwd file. The passwd file has permissions of 444 but when i try to log in i am being redirected to my error...
PHP
3
C program to authenticate user on AIX?
by: Litening | last post by:
Hi Can someone please supply me with a program (perhaps the C source) that authenticates a user on AIX (against the password/shadow/security file(s))? So far I have the following from IBM,...
C / C++
5
IDataReader Read() methid question
by: Gelios | last post by:
Hello All! I am going to crazy and feeling myself so stupid but I don't understand such behaviour. I have code: public int getNextAgentId() { Int32 agent_id = 0; IDataReader dr =...
C# / C Sharp
0
java DB2 program error
by: anaik100 | last post by:
am trying to run a java db2 program. my db2 is in os/390. below is the code public class T4DB2Connect { public static void main(String args) { try { // load the DB2 Driver...
Java
8
sha1() passwd in mysql help... (beginner)
by: sathyashrayan | last post by:
Dear group, For a log-in page I have created a mysql db and user registers with a user name and password. The password field is encrypted with $passwd = sha1($_REQUEST); I insert the...
PHP
3
how to read username and password with perl
by: seshu1234 | last post by:
hai , i want to read username and passwd with perl/tk i got user name by getlogin() function but for passwd not getting i am working in windows os getpwnam(),getpwuid(),..not working in windows...
Perl
0
Read from perl socket
by: kaps | last post by:
Hi, How do I read data from perl socket. I tried these three methods in bold but nothing worked. use strict; use IO::Socket; use HTTP::Request::Common; use LWP::UserAgent;
Perl
0
Updating dbm cfg parameters from Application Program
by: Lekh Raj | last post by:
Hi, I want to update dbm cfg parameters DFT_MON_BUFPOOL and DFT_MON_STMT from C program. I am using db2 version 9.1.2 on Linux platform When I use "db2 update dbm cfg using DFT_MON_BUFPOOL ON...
DB2 Database
2
Why my program (using pexpect to switch user) doesn't work well?
by: BlackjadeLin | last post by:
I'm new to python I want to write a simple script to switch user,for example,from user_A to user_B. This my codes: #!/usr/bin/python import pexpect import os passwd="user_B" child =...
Python
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!