|
|
Posted by heyster on 02/27/06 19:38
On Mon, 27 Feb 2006 09:22:10 +0100, "Simon Niederberger"
<simon@sincore.ch> wrote:
>Hi Gordon
>
>Thanks for your input. My script is a deployment-tool which does the
>following:
>
>- Get the current revision of a web application out of Subversion (a version
>control system)
>- Write the retrieved .php, .js etc files into wwwroot
>
>So, the files unfortunately can't be in a database.
>
>Simon
>
>"Gordon Burditt" <gordonb.todzf@burditt.org> wrote in message
>news:1203p273vaumfbc@corp.supernews.com...
>> >I need to write a script which overwrites certain .php files in the
>> >current
>>>directory.
>>
>> This objective by itself is a significant security issue.
>> It greatly increases the possible damage.
>> Are you sure you can't put this data in a database?
>>
>>>Running as www user, I get a Permission denied on fopen.
>>>Obviously, I could CHMOD all files to allow for writing of the www group.
>>>However, I guess this would be quite a security flaw, so here's what I'd
>>>like to do:
>>>
>>>Change "running" user from www to root (or any other user), do fopen /
>>>fwrite / fclose, change user back.
>>
>> If that was allowed, there'd be no security at all.
>> The OS doesn't let PHP change users like that (it is NOT
>> recommended that you run PHP or Apache as root).
>>
>> In UNIX the way to accomplish this is running a setuid program.
>> This has to be done very carefully. If you make it too general,
>> you're erasing the distinction between users.
>>
>> Gordon L. Burditt
>>
>
Simon,
A similar situation was brought up recently in this newsgroup. I'll
suggest now what I suggested then: the FTP functions of PHP. It may
at least address the issue of permissions, but may also have its own
security problems (userid / password in plaintext, etc.).
heyster
Navigation:
[Reply to this message]
|