1

I asked this question a while back and even though I put up several bounties, I never got much of an answer (see here). More generally, I want to know if there is any concept of security with suPHP? What's to stop anyone from going to

www.example.com/rm-f-r.php

or 

www.example.com/return_some_iamge.php

Because those scripts get executed with the privileges of the user, it's essentially guaranteed acesss.

EDIT To elaborate on the above, my problem is a conceptual one. Assume we have a file at /home/user/test.php. Let this file do anything (rm -f -r /, fetch and return a picture, reboot the computer...) If I point my browser to that file (assuming the containing folder is an enabled site under Apache) how do I tell the browser to only let the owner of that file execute it?

EDIT 2: I never explicitly stated this as I assumed suPHP is only used with apache (ie. web browsers), but I am talking about authenticating linux users with only a browser. If we do not authenticate, then anyone technically has access to any script on the server (with web sites this is not a problem as they always have permissions set to 0644, so essentially the whole world can see. PHP files on the other hand, have permissions generally set to 0700)

Community
  • 1
  • 1
puk
  • 16,318
  • 29
  • 119
  • 199
  • Your question is unclear. What is inherently wrong with a server program deleting files or returning images? What kind of access is being "guaranteed"? I just can't tell what it is you are trying to ask, suggest or protect against. – Cheekysoft Mar 02 '12 at 12:21
  • @Cheekysoft I will edite the question – puk Mar 02 '12 at 12:44
  • I am fairly confident my question has no solution http://stackoverflow.com/a/9561335/654789 – puk Mar 06 '12 at 04:39

1 Answers1

4

suPHP has the effect that the PHP runtime executes with the permission of the user that authored the .php file. This means that a PHP program author can only read and write files that he himself owns, or otherwise has access to.

If you put a PHP file on your website you are making it publicly runnable by anyone that comes along to your website - using suPHP does not change this. Without logging in to your site, all web users are effectively anonymous and there is no way to reliably identify an individual. suPHP only controls the local permissions the script will have when it is executed, it does not intend to introduce any form of web user authentication or authorisation.

If you wish to control which users can actually run a script, you need to implement some login functionality and force the users to log in to your site. Then add a check to the sensitive PHP script (or Apache configuration) which will make it abort the request, if the current logged in web user is not one you wish to execute that script.

Cheekysoft
  • 35,194
  • 20
  • 73
  • 86
  • Yes but *how* do we establish ownership through a web browser? With linux, you log in and start a session, is there a corresponding log in with browsers? – puk Mar 02 '12 at 12:50
  • 1
    You will need to research sessions and user authentication techniques in PHP. Or for a quick-fix, look at Apache's limit/allow/deny directives and htpasswd controls e.g. http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html – Cheekysoft Mar 02 '12 at 13:24
  • how would I abort it? The conceptual problem I have is that if I interfere with the `php` script, I risk changing the user that `php` script gets executed with. I am guessing that apache would capture all requests to any `php` file, and send it to a validation file, lets call it `validate.php`, and, upon success, `validate.php` would call the original `php` file. But now, `validate.php` has been run as, probably, user `var-www` and so too will the original `php` file. AFAIK suPHP only changes the user **once** at the very beginning. – puk Mar 02 '12 at 13:27
  • One person did suggest htpasswd controls, and it is definitely the easiest solution, I just find it a little crude having that 1993 pop up window request for your login id and password – puk Mar 02 '12 at 13:35
  • 2
    Why are you editing and wanting to abort someone else's PHP scripts? Your situation is weird and unexplained. I think you need to explain your background. It is possible you are asking the wrong questions to address your particular need. It sounds like you are asking how to implement your *proposed solution* to your problem; instead of just stating your problem and asking for solution ideas. You should probably rewind and ask a fresh question that actually states what root-problem you are trying to address. – Cheekysoft Mar 02 '12 at 13:36
  • I'm not editing per se, I am just trying to map the underlying file permissions to web sites. I want user `john` to be the only person to have access to everything in `/home/john/`. With suPHP I can navigate the files in that folder using the linux file permissions only. The problem I am having is priming the pump – puk Mar 02 '12 at 13:41
  • You are probably right. I will create a new question asking for solution ideas – puk Mar 02 '12 at 13:45
  • I tried as best as I could to reword the question. http://stackoverflow.com/questions/9542263/need-help-implementing-php-sessions-in-suphp – puk Mar 03 '12 at 00:36
  • @Cheekysoft, just a clarification, the real path (and symlink path if synlinks are used on the path _must_ also be trusted. In this sense trusted means that the directory must either be owned by the script UID or my root, and by default suPHP is also configured to require that none are group or other wrtieable. – TerryE Mar 06 '12 at 11:15