Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27496 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 44732 invoked by uid 1010); 17 Jan 2007 08:46:10 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 44717 invoked from network); 17 Jan 2007 08:46:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jan 2007 08:46:10 -0000 Authentication-Results: pb1.pair.com header.from=addw@phcomp.co.uk; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=addw@phcomp.co.uk; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain phcomp.co.uk designates 213.152.38.186 as permitted sender) X-PHP-List-Original-Sender: addw@phcomp.co.uk X-Host-Fingerprint: 213.152.38.186 freshmint.phcomp.co.uk Linux 2.5 (sometimes 2.4) (4) Received: from [213.152.38.186] ([213.152.38.186:63664] helo=mint.phcomp.co.uk) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 43/25-00949-152EDA54 for ; Wed, 17 Jan 2007 03:46:09 -0500 Received: from addw by mint.phcomp.co.uk with local (Exim 4.66) (envelope-from ) id 1H76Qi-0005D5-A1; Wed, 17 Jan 2007 08:46:00 +0000 Date: Wed, 17 Jan 2007 08:46:00 +0000 To: Arnold Daniels Cc: Greg Beaver , Stanislav Malyshev , Stefan Esser , Marcus Boerger , "internals@lists.php.net" Message-ID: <20070117084600.GA19933@mint.phcomp.co.uk> References: <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de> <45AA116F.7020109@hardened-php.net> <45AA961D.4090401@php.net> <45AD63A1.2040206@adaniels.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45AD63A1.2040206@adaniels.nl> User-Agent: Mutt/1.4.1i Organization: Parliament Hill Computers Ltd Subject: Re: [PHP-DEV] Comments on PHP security From: addw@phcomp.co.uk (Alain Williams) On Wed, Jan 17, 2007 at 12:45:37AM +0100, Arnold Daniels wrote: > Hi, > > First of all I admit I'm no PHP security expert or PHP internals expert > or anything, so please don't flame me if I say something stupid. > > Wouldn't simply adding a flag to allow url's (which includes all '*://' > streams), in functions that opens streams be enough? For example: > fopen($file, 'r') and fopen($url, 'ru') and fopen('php://output', 'ru'). > To my opinion, using '*://' streams is an advanced feature. Developers > who are using that, should be able to make sure no urls are opened. > Again, just an idea. Brilliant. The only thing that need be added is a config var to control the default behaviour - which should be 'don't allow'. Doesn't fix everything (eg includes), but it is a good start. Note that: allow_url_fopen is not the same thing as that does not allow the program to specify when it wants it. > Last, I'm a software developer at a shared hosting company. To my > opinion, making sure that users don't touch other people's files, does > not belong in the PHP layer. With other apache modules you can do nasty > thing as well. We (not me) have written a kernel patch to allow > switching of the current processes (much like sudo) and a matching > apache module. Since the privileges only allow the user or group to > access the file, linux does the rest. An other solution is to start PHP > as cgi under the correct user, but other things will never be really save. Care to share that with the world ? -- Alain Williams Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php #include