| View previous topic :: View next topic |
| Author |
Message |
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
 Posted: Sun May 29, 2005 10:47 pm Post subject: PHP Security |
 |
|
When I tried to get my friend to unwillingly unlink his entire root folder because he tried to spam my IRC server, it suddenly occurred to me, that, one of the ~5 people with sites on my server could easily run unlink("../") and delete everything.
I trust these people enough not to do this, but if one of them did for whatsoever reason, I would be screwed, then if a backup is run before I notice, everything is gone.
Is there a way to protect against this in Abyss?
I have a fair idea on how to do this in apache. (A htaccess file using open_basedir.) But I am unable to do so in abyss and running a open_basedir in php.ini wouldnt do anything, even if giving it the value '.', which would be inconvienient as hell.
Ideas?
_________________
 |
|
| Back to top |
      |
 |
k1ll3rdr4g0n
-
Joined: 04 Jul 2004
Posts: 609
|
| Posted: Mon May 30, 2005 12:08 am Post subject: |
|
|
Try running PHP in safe mode or give them a folder like C:\www\root\hosted\~site1 ect. Just a suggestion. :)
_________________
 |
|
| Back to top |
|
|
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Mon May 30, 2005 1:11 am Post subject: |
|
|
| k1ll3rdr4g0n wrote: | | Try running PHP in safe mode or give them a folder like C:\www\root\hosted\~site1 ect. Just a suggestion. :) |
I use a lot of functions safe mode wouldnt like.
And how would the second suggestion help?
unlink("C:\\")?
_________________
|
|
| Back to top |
|
|
Tim1681
-
Joined: 17 Jan 2005
Posts: 160
Location: Bristol, CT, USA
|
| Posted: Mon May 30, 2005 2:11 am Post subject: |
|
|
| Put an Index.htm/php file or whatever is read by your Abyss as an Index file in the base directory? |
|
| Back to top |
|
|
k1ll3rdr4g0n
-
Joined: 04 Jul 2004
Posts: 609
|
| Posted: Mon May 30, 2005 2:39 am Post subject: |
|
|
| MonkeyNation wrote: | | k1ll3rdr4g0n wrote: | | Try running PHP in safe mode or give them a folder like C:\www\root\hosted\~site1 ect. Just a suggestion. :) |
I use a lot of functions safe mode wouldnt like.
And how would the second suggestion help?
unlink("C:\\")? |
I know theres a way with apache to limit only certain folders to safe mode.
You would move their site to there, and it would be next to impossible to figure out where your site is located if you keeped it at c:\program files\abyss web server\htdocs\mysite
And if they were to try and delete your site file by file, they would have to figure out where your site is first. And its very far away from their's, so they would have to do a ../../../../ and so on...Not only that but they wouldn't acctually be able to see the directory structure.
I think theres something Im missing because in the PHP manual it says:
| Quote: | bool unlink ( string filename [, resource context] )
Deletes filename. |
How could they delete everything, when unlink was designed for one file?
Mhmm...just tested it on my server:
| Quote: | | Warning: unlink(../): Permission denied in C:\Program Files\Apache Group\Apache2\htdocs\temptest\blah\test.php on line 2 |
Then I created a text file named test.txt in the same folder with some text in it. Then I ran the following code:
<?
unlink("test.txt");
?>
And, alias, no errors. Maybe this is just a bug with Abyss?
P.S. Im assuming this is a windows server....
_________________
|
|
| Back to top |
|
|
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Mon May 30, 2005 2:45 am Post subject: |
|
|
I believe you would need...
| Code: | | <?php @rmdir("../"); ?> |
...for what your trying to do.
And Tim1681 has completley lost me...
_________________
|
|
| Back to top |
|
|
k1ll3rdr4g0n
-
Joined: 04 Jul 2004
Posts: 609
|
| Posted: Mon May 30, 2005 2:58 am Post subject: |
|
|
| MonkeyNation wrote: | I believe you would need...
| Code: | | <?php @rmdir("../"); ?> |
...for what your trying to do.
And Tim1681 has completley lost me... |
From the PHP manual:
| Quote: |
bool rmdir ( string dirname [, resource context])
Attempts to remove the directory named by dirname. The directory must be empty, and the relevant permissions must permit this.
|
See that? If your site is there, they cant delete it.
After a little research, it does seem that is a problem.
-thinks-
Ok if you don't want to use safe mode, I would sugest creating a virtual drive to a folder on your hosting hard drive. Say you have Z:\hosted files\hostee they would only be able to get to the root of z:\ using the ../ directive. And your site would be safe on C. Im just trying to help thats the best I can honestly think of :\.
_________________
|
|
| Back to top |
|
|
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Mon May 30, 2005 3:13 am Post subject: |
|
|
| k1ll3rdr4g0n wrote: | | MonkeyNation wrote: | I believe you would need...
| Code: | | <?php @rmdir("../"); ?> |
...for what your trying to do.
And Tim1681 has completley lost me... |
From the PHP manual:
| Quote: |
bool rmdir ( string dirname [, resource context])
Attempts to remove the directory named by dirname. The directory must be empty, and the relevant permissions must permit this.
|
See that? If your site is there, they cant delete it.
After a little research, it does seem that is a problem.
-thinks-
Ok if you don't want to use safe mode, I would sugest creating a virtual drive to a folder on your hosting hard drive. Say you have Z:\hosted files\hostee they would only be able to get to the root of z:\ using the ../ directive. And your site would be safe on C. Im just trying to help thats the best I can honestly think of :\. |
Make a loop to unlink all the files in that directory first, and the same for directorys. Point is, it can be done.
Mounting a folder wouldnt help either, simply delete C:\\.
_________________
|
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Mon May 30, 2005 12:47 pm Post subject: Re: PHP Security |
|
|
MonkeyNation,
There are many ways to prevent your friends from doing that. The simplest solution is to create in Windows a new user account called "webserver" for example, and to give this user the permission to read/write the web sites directories. Do not grant this user any permission to read/write any other part of your hard disk.
Now, start Abyss using this user account or if Abyss is running as a service, change in Windows Services the user account under which privileges Abyss is launched to be "webserver".
If you are hosting your friends using Abyss Web Server X2, you can also configure PHP for each virtual host to use a different php.ini. Each php.ini should have its own open_basedir settings.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
Tim1681
-
Joined: 17 Jan 2005
Posts: 160
Location: Bristol, CT, USA
|
| Posted: Mon May 30, 2005 2:46 pm Post subject: |
|
|
| Srry lol i was thinking of the Directory Index ... where that came from i do not know. |
|
| Back to top |
|
|
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Mon May 30, 2005 5:28 pm Post subject: Re: PHP Security |
|
|
| aprelium wrote: | MonkeyNation,
There are many ways to prevent your friends from doing that. The simplest solution is to create in Windows a new user account called "webserver" for example, and to give this user the permission to read/write the web sites directories. Do not grant this user any permission to read/write any other part of your hard disk.
Now, start Abyss using this user account or if Abyss is running as a service, change in Windows Services the user account under which privileges Abyss is launched to be "webserver".
If you are hosting your friends using Abyss Web Server X2, you can also configure PHP for each virtual host to use a different php.ini. Each php.ini should have its own open_basedir settings. |
Its quite litterally a folder in my webroot, that would mean making a new user account for each?
_________________
|
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Tue May 31, 2005 9:11 am Post subject: Re: PHP Security |
|
|
| MonkeyNation wrote: | | that would mean making a new user account for each? |
Abyss cannot run under many user accounts at the same time. So creating a new user account for the whole web site directory is sufficient.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Tue May 31, 2005 9:12 pm Post subject: Re: PHP Security |
|
|
| aprelium wrote: | | MonkeyNation wrote: | | that would mean making a new user account for each? |
Abyss cannot run under many user accounts at the same time. So creating a new user account for the whole web site directory is sufficient. |
I understand you, but I myself use scripts who edit files outside of the webserver.
This would mean running 2 servers I assume? =/
_________________
|
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Wed Jun 01, 2005 1:05 pm Post subject: Re: PHP Security |
|
|
| MonkeyNation wrote: |
I understand you, but I myself use scripts who edit files outside of the webserver.
This would mean running 2 servers I assume? =/ |
We're lost here. :-) Why are you assuming there are 2 servers???
Can you explain us how your scripts work so that we can understand what you meant?
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Wed Jun 01, 2005 1:08 pm Post subject: Re: PHP Security |
|
|
| aprelium wrote: | | MonkeyNation wrote: |
I understand you, but I myself use scripts who edit files outside of the webserver.
This would mean running 2 servers I assume? =/ |
We're lost here. :-) Why are you assuming there are 2 servers???
Can you explain us how your scripts work so that we can understand what you meant? |
Its just, my scripts I use are in (For this example at least.) / and I have scripts that write to files outside / E.G. one edits some config files on my irc daemon, so I do need permission for outside access. But for other files hosted on my server, they do not need access to those files, so therefore I would like to prevent them from accessing them.
In apache I could put a simple .htaccess file, but im at a loss on another way to do so.
_________________
|
|
| Back to top |
|
|
|
