1

(php/apache beginner here)

Intro

Using Apache(as a service on Windows) with PHP I've realized that while by default the web-user can only access the \htdocs contents, the PHP script itself can read anywhere (not limited inside \htdocs). What happens if we are not sure about the content of the PHP script though and wish to restrict file-system access?

Problem

Assume that we wish to allow people to change the content of the .php files but at the same time apply filesystem level restrictions. eg: script1.php can read/write/execute anything in c:\apache\htdocs. It can read-only from c:\f1\ but can NOT access any other directory altogether.

Question

How can one make sure that his/her PHP program has very specific permissions in windows when reading or writing (eg with file_exists(), mkdir(), proc_open(), fwrite(), GD:imagejpg()) when outside \htdocs?

additional thoughts

I've read that apache as a service runs as the LocalSystem account that has full read and write (777) permissions on most local paths.1

  • Would it be right if I created a new (virtual?) User Account, assigned it to the apache service and change the [rwx] permissions of that particular account to my liking?
  • Is there a way to create different sets of restrictions for different PHP scripts? eg. besides c:\apache\htdocs, script1.php is also allowed to read-write in c:\f1 while script2.php is allowed to read-only from c:\f2
  • Moreover, would it be possible to create a "permission manager" - a PHP script that when executed, assigns rights to other php scripts? eg all .php scripts that are less than 120bytes, can read-write in c:\f1

Thank you for your time,

-Fotis

Community
  • 1
  • 1
FotisK
  • 239
  • 3
  • 15
  • there's php safe mod if you're on an obsolete/old version of php. and there are various ways of jailing scripts, e.g. chroot. but if you're not sure about the php code, why are you allowing it anywhere near your server in the first place? The best security is to simply NOT allow any suspect code anywhere near your systems. – Marc B Jun 10 '16 at 14:47
  • Thank you @Marc B! nice reads on **chroot/safe_mode** - Luckily I'm not a *shared-host* providing services to others so I don't plan on allowing suspect PHP code inside my system. I was more curious about the level of sandboxing one can achieve: I'm not very confident on my understanding of *securing Apache/PHP* and thus worried about possible security holes. I thought that implementing *external* restraints (ie on the file-system), would contain the nature and extent of any damages. Plus that buggy code can do lots of damage too (delete, overwrite files on the wrong directory) ;-) – FotisK Jun 10 '16 at 16:30

1 Answers1

1

In your Apache settings, httpd.conf, there should be something like this:

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www-data
Group www-data

This will be the user and the group that Apache will be running your website as. You just have to limit that user's permission for the files you don't want them to have access to.

Chin Leung
  • 14,621
  • 3
  • 34
  • 58
  • Thank you @Chin Leung! Good to know this exists there - not sure if this approach applies to Windows though? Also, in my `httpd.conf`, both `User`/`Group` are set to `daemon` – FotisK Jun 10 '16 at 16:02
  • Yes @FotisK this applies to Windows as well. Since both the user and group is set to `daemon`, apache is running the website as the user and group `daemon`. You can read more about permissions on windows here: http://www.eightforums.com/tutorials/2815-permissions-allow-deny-access-users-groups-windows-8-a.html – Chin Leung Jun 10 '16 at 18:32
  • Thanks @Chin Leung! Unfortunately I didn't manage to get it working - In `httpd.conf` I changed the *User* and *Group* to `testuser` and `testgroup` respectively (for clarity) and created a `testuser` with no password and assigned him to `testgroup`. I picked a folder that my script *needs* to function and made sure that user is **denied** every single permission (Read&Execute, List Contents, Modify etc). Still running the PHP script bypassed all restrictions. As a note, I couldn't find `mod_unixd.so` in my apache modules [1](http://httpd.apache.org/docs/current/mod/mod_unixd.html) – FotisK Jun 10 '16 at 20:48
  • If I otherwise go to `Services.msc`›`Apache2.4`›`Properties`›`Log On` and instead of `LocalSystem` choose `testuser`, the restrictions are applied correctly. But I'm not sure how proper this approach is (let alone that I'd potentially like different restriction sets for different PHP scripts - not one applied to all) – FotisK Jun 10 '16 at 21:04