Posted by Gordon Burditt on 02/26/06 19:24

>I need to write a script which overwrites certain .php files in the current
>directory.

This objective by itself is a significant security issue.
It greatly increases the possible damage.
Are you sure you can't put this data in a database?

>Running as www user, I get a Permission denied on fopen.
>Obviously, I could CHMOD all files to allow for writing of the www group.
>However, I guess this would be quite a security flaw, so here's what I'd
>like to do:
>
>Change "running" user from www to root (or any other user), do fopen /
>fwrite / fclose, change user back.

If that was allowed, there'd be no security at all.
The OS doesn't let PHP change users like that (it is NOT
recommended that you run PHP or Apache as root).

In UNIX the way to accomplish this is running a setuid program.
This has to be done very carefully. If you make it too general,
you're erasing the distinction between users.

Gordon L. Burditt

• Next in forum: Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)
• Prev in forum: Re: error levels
• Thread view: Re: Change user for fopen

[Reply to this message]