[linux-security] Re: php3 module and security

[Zeev Suraski <bourbon netvision net il>]

On Fri, 7 May 1999, Levy Carneiro Jr. wrote:

> 
> 	Hi,
> 
> 	When php3 module is compiled in apache, files in any directory will
> be interpreted by the parser and executed. This is a security breach.
> There is a way to correct this? Any comments?

This is simply not true.  Apache does exactly what you tell it to do, and
Apache is the one that invokes PHP.  If you tell Apache to parse any .php3
file as PHP, what you say is (partially) true (only .php3 files will be
executed).  However, like just about any other Apache directive, you can
enable the PHP module on a per directory basis.  Simply have the relevant
AddType inside a <Directory> block.

As for safe-mode, unlike Peter said, safe-mode isn't restricted to the CGI
version only.  It works very well with the Apache module as well.  In
safe-mode, additional code is executed to ensure that only files owned by
the user who ran the script can be opened (among other things).  Note that
this code cannot rely on the uid/euid, since it's almost always
root/nobody.  Instead, it tries to figure out the username according to
the path of the initial file.  For that reason, and since these checks are
not provided at the OS level, I wouldn't consider them bulletproof. 

What Peter may have meant is the option of running the PHP CGI with
su-exec, i.e., actually run the PHP CGI in the context of the user who
owns the script.  While I've never configured PHP to work this way (and
this should involve configuration for each user, which may be a bit of a
headache), this is the most secure way to implement full and standard file
permissions in Apache CGIs (in this particular case, PHP).  You do lose
quite a lot of performance by using the CGI binary and not the Apache
module, though.

Zeev

-- 
-----------------------------------------------------
Zeev Suraski <zeev zend com>
For a PGP public key, finger bourbon netvision net il