Posted by Simon Niederberger on 02/27/06 10:22

Hi Gordon

Thanks for your input. My script is a deployment-tool which does the
following:

- Get the current revision of a web application out of Subversion (a version
control system)
- Write the retrieved .php, .js etc files into wwwroot

So, the files unfortunately can't be in a database.

Simon

"Gordon Burditt" <gordonb.todzf@burditt.org> wrote in message
news:1203p273vaumfbc@corp.supernews.com...
> >I need to write a script which overwrites certain .php files in the
> >current
>>directory.
>
> This objective by itself is a significant security issue.
> It greatly increases the possible damage.
> Are you sure you can't put this data in a database?
>
>>Running as www user, I get a Permission denied on fopen.
>>Obviously, I could CHMOD all files to allow for writing of the www group.
>>However, I guess this would be quite a security flaw, so here's what I'd
>>like to do:
>>
>>Change "running" user from www to root (or any other user), do fopen /
>>fwrite / fclose, change user back.
>
> If that was allowed, there'd be no security at all.
> The OS doesn't let PHP change users like that (it is NOT
> recommended that you run PHP or Apache as root).
>
> In UNIX the way to accomplish this is running a setuid program.
> This has to be done very carefully. If you make it too general,
> you're erasing the distinction between users.
>
> Gordon L. Burditt
>

• Next in forum: Unicode Problem
• Prev in forum: Re: QUERY AND UPDATE PROBLEM
• Thread view: Re: Change user for fopen

[Reply to this message]