I have created a service in which users can have their own directory on my webpage (http://mywebsite.com/username/) and run php on it, but currently it is possible to make php code to access root directory (http://mywebsite/) and change things there.
I have made a bash script which creates a user, disables shell from it, and gives it the username directory and ftp access to it's directory.
Is there anything I can do to avoid users from accessing root through php?
I am running a LAMP stack with linux debian
Related
I am running my server on cPanel.
I have two users accounts:
/home/user1
/home/user2
From user2 I need to include /home/user1/public_html/config.php.
Is their anyway to apply this?
It is fully possible to access php files located in other parts of the hard drive than where the site is run. However, this depends on two things. First of, the web user needs read permissions for the file, and you need to define the root folder where that php file is located as a accessable folder for the website.
Setting file permissions for the file can be done with:
chmod +R 775 /home/user1/public_html/config.php
Defining the accessible folders for PHP depends on wether you are running Apache or Nginx.
In Nginx for example:
fastcgi_param PHP_ADMIN_VALUE "open_basedir =$document_root:/tmp:/usr/local/lib/php:/var/www/vhosts/yourdomain/httpdocs/:/home/user1/public_html";
In Apache:
Apache readme
Now you should be able to require the file like you normally would require any file:
require('/home/user1/public_html/config.php');
Why not just copy paste the /home/user1/public_html/config.php file to /home/user2/public_html/? If you don't have permissions to access or do any operation on the file, then you are simply not authorized to attempt this.
I have mounted a directory via curlftpfs. I am trying to access the files from within this mount via a webserver.
The path to the mounted directory is
'/home/domain.nl/domains/cms.domain.nl/public_html/project/1/syslink/'
The strange thing is that PHP can read and write from/to that directory. But when i try to access the folder from my apache webserver, then i get the error:
403 Forbidden
You don't have permission to access /project/1/syslink/file.jpg on
this server.
The output when I run exec('whoami') in php is:
urre
That is also the user that created the curlftpfs mount, so the rights are not the issue.
When I log in to the linux CLI with this user, I can access the mounted directory...
Apache Webserver requires the user "www-data" to be able to read and write to a folder / document.
You must change, either your FTP mount user to "www-data" or change your Apache running user.
In /etc/fstab
curlftpfs#user:pass#domain/directory fuse auto,user,uid=www-data,allow_other,_netdev 0 0
If you would like to set the group as well, you can add "gid=www-data" to fstab
This should allow Apache to read and write to your mounted FTP directory.
I have a code on PHP that was working in a server but we migrate that code to another server and now that code is not working, specifically we want to run an .exe file using PHP with the instruction exec
I debug the script and it looks be working properly and the IUSR user and IIS_IUSR have the correct permissions and actually the exe file is running, but, when it run it need generate some files that is the part that cause the issues, the program are trying to create files on the AppPool directory for example like this:
C:\MyPath\somewebsite.com\8áª\MyProgram\
Where C:\MyPath\somewebsite.com\ is the AppPool root directory and MyProgram\ is the directory that the app is creating
Where \8᪠is generated randomly and changes all the time that we try to run the program, debugging with Process Monitor I can get an error: PATH NOT FOUND and/or NAME INVALID, on the previous server we modify the user on the IIS to run the script (that was on IIS 6 now we are on IIS 8.5) and that files was created on the home directory of the user AND without the random directory, for example:
C:\Users\MyUser\MyProgram\
where MyUser is the user that we assigned, but on that new server we get the files on the AppPool directory no matter if we change the user
I think that we can solve that if we was able to define a path for the IUSR user and set it as "home" path but I cannot found where to modify the IUSR user, I know that is a build-in user that IIS create but I'm not sure if I can edit that settings for that user.
I already mention that we used IIS but just as an extra data, we are running that over Windows Server 2012 R2
Any suggestion?
You topic / question is:
IIS does not allow run .exe file using excec command on PHP
which is the correct behavior! You don't want to run .exe files through PHP, really. You have to give the IUSR execute permissions on cmd.exe first, meany you might as well give all your virtual users administrator permissions.
lot of time after but, PHP side was ok, the problem was on the .exe file, the exe file create some files that was used for the same exe program, but it uses relative paths so when the process run makes that did not found the files generated and this caused the errors
I think I'm misunderstanding something fundamental about file permissions in an OpenShift PHP app. How do they actually work?
I develop on OSX and push changes using SourceTree. When I log in to the app via an SFTP program (Cyberduck) the index.php file shows its permissions set to 600, yet visitors can view it OK in a browser.
This surprises me, as I thought the file would require permissions of 644 to be browsable (like an Apache webserver).
On OpenShift, it seems as though file permissions 600, 640 and 644 are all equivalent. Is this correct, or am I doing something wrong?
Related:
My OpenShift app has a cgi-bin folder containing a cgi program that should only be executed (called) from a PHP file. In other words, any PHP script should be able to call this cgi program, but a visitor attempting to browse to the cgi-bin folder directly should not.
I set both the cgi-bin folder and cgi program file permissions to 700 (so only the 'owner' has read/write/execute set, and no permissions are granted for 'group' and 'others'). However visitors can still browse to the program URL directly and execute it (e.g. www.example.com/cgi-bin/program.cgi) - as if the permissions were 777. How do I solve this?
I think you are used to a system where one user owns the files being served, and the web server runs as another user, but since the files owner (your user account that is that big long hash) is also the owner of the process that runs the web server on OpenShift, then it is using the "6" part of the permissions, so it makes sense that the other two digits that you add don't make a difference. If there is a script that you don't want web accessible, but that you want PHP to be able to execute, then you should place it outside of your web directory that contains your php files. The easiest way to do that would be to create a "php" folder in your repo, and put your files inside of it that need to be web accessible. That will change your documentRoot to that php directory, and you can put your script one level above that so users can't execute it with a web request.
This question is related to another question I wrote:
Trouble using DOTNET from PHP.
Where I was using the DOTNET() function in PHP to call a DLL I had written.
I was able to get it working fine by running php.exe example.php from the command line (with the DLL's still in the PHP folder).
I moved the php file to an IIS 7 webserver folder on the same machine (leaving the DLLs in the same php folder), but I keep getting a 500 internal service error.
I've checked the server logs (in c:\inetput\logs\ and in c:\windows\temp\php53errors) but there doesn't seem to be any relevant information about what caused the error. I even tried to change the php.ini settings to get more error feedback, but that doesn't seem to help.
I can only guess that the issue may be related to:
that php file not having the proper permissions (my dll does some file reading/writing)
php can't find the DLLs
The actual error I get is:
The FastCGI process exited unexpectedly.
Any idea on how to debug this problem?
The problem here is almost certainly related to file permissions.
When you run php.exe from the command line you run as your own logged-in user. When running a PHP script from IIS, in response to an http request, php.exe runs as a different user. Depending on your version of Windows it could be
IUSR_machine - on IIS6 and prior
IUSR on IIS7 and later
These users need permissions on the php file to be executed.
Read more about it
On IIS7 and later I use a command-line tool called icacls.exe to set the permissions on directories or files that need to be read by IIS and the processes it starts (like php.exe). This security stuff applies to all IIS applications: PHP, ASPNET, ASP-classic, Python, and so on.
IIS also needs to be able to read static files, like .htm, .js, .css, .jpog, .png files and so on. You can set the same permissions for all of them: Read and Execute.
You can grant permissions directly to the user, like this:
icacls.exe YOUR-FILE-GOES-HERE /grant "NT AUTHORITY\IUSR:(RX)"
You can also grant permissions to the group, to which IUSR belongs, like this:
icacls.exe YOUR-FILE-HERE /grant "BUILTIN\IIS_IUSRS:(RX)"
In either case you may need to stop and restart IIS after setting file-level permissions.
If your .php script reads and writes other files or directories, then the same user needs pernissions on those other files and directories. If you need the .php script to be able to delete files, then you might want
icacls.exe YOUR-FILE-HERE /grant "BUILTIN\IIS_IUSRS:(F)"
...which grants full rights to the file.
You can grant permissions on an entire directory, too, specifying that all files created in that directory in the future will inherit the file-specific permissions set on the directory. For example, set the file perms for the directory, then copy a bunch of files into it, and all the files get the permissions from the parent. Do this with the OI and CI flags (those initials stand for "object-inherit" and "container-inherit").
icacls.exe DIRECTORY /grant "BUILTIN\IIS_IUSRS:(OI)(CI)(RX)"
copy FILE1 DIRECTORY
copy FILE2 DIRECTORY
...
When I want to create a new vdir in IIS, to allow running PHP scripts, or ASPX or .JS (yes, ASP Classic) or Python or whatever, I do these steps:
appcmd.exe add app /site.name:"Default Web Site" /path:/vdirpath /physicalPath:c:\docroot
icacls.exe DIRECTORY /grant "BUILTIN\IIS_IUSRS:(OI)(CI)(RX)"
Then I drop files into the directory, and they get the proper permissions.
Setting the ACL (access control list) on the directory will not change the ACL for the files that already exist in the directory. If you want to set permissions on the files that are already in the directory, you need to use icacls.exe on the particular files. icacls accepts wildcards, and it also has a /t switch that recurses.