[PHP-DEV] suid-php From: Joel Jacobson (joel.jacobson <email protected>)
Date: 12/11/99

Hi developers!

There is a problem doing administrative tasks secure with
php scripts.
I don't know much about those things, but I have got an idea that I
would like you to share with you. Please give me feedback.

I think the best way to explain what I have in mind is to give an
example.

[root <email protected> htdocs]# pwd
/usr/local/apache/htdocs
[root <email protected> htdocs]# ls -l *.php
-rwSr----- 1 root nogroup 12345 Dec 9 17:31 admin.php
-rw-r----- 1 root nogroup 12345 Dec 9 17:31 normal.php

Those are two php scripts. The first one does stuff that needs root. The

other one does not.
I would like admin.php to be interpreted (''executed'') as root and
normal.php as the user that the web server run as (''nobody'' for an
example).
The suid-flag indicates that I wish php to change UID to the user that
the php script is owned by. The suid-flag has no effect if the
executable-flag isn't set, so maybe it's a good idea to use the
suid-flag for this purpose.

Normal users can also take advantage of this feature; they can read
files in their home-dir that are only user-readable from their own
php-scripts.
If they do not need/want to access files as their own UID, then they
just don't set the suig-flag on the script.

To prevent malicious use of this feature maybe it would be wise to add
some compile-time- or php.ini options like:
1. Preventing that files without the .php (or an optional one) suffix to

be interpreted.
2. Restricting the use of this feature for certain directories
Options like those that suEXEC provides and maybe also the security
checks could be stolen from suEXEC.

Of course, all this will only be possible for the /cgi-bin/php version,
but that's fine with me anyway.

[root <email protected> cgi-bin]# ls -l
total 1778
-rwsr-x--- 1 root nogroup 1811828 Nov 19 15:52 php

This is a security issue, but noone except root can change the ownership

of a file and noone except the owner of the file can change the
filemode, so where is the security risk?
(If the php code is secure or not is of course the author's problem.)

I hope you will consider this, it would be a very cool and useful
feature.
I understand not all people need this, but who can complain if it's a
compile-time option? (It won't affect the PHP standard in any way, it's
just a question of what user the scripts are interpreted as.)

Thanks in advance for any comments!

Joel Jacobson, student. 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>