The Config:
Webserver Apache 2.2 / mod_php 5.3 (FreeBSD 8)
User websites:
/home/user/public_html
Platform files
/usr/local/myPlatform/
The Premise:
Each vhost in the apache config has the platform directory aliased to /myPlatform so it can be accessed via hxxp://www.mysite.com/myPlatform - This is to keep the source of the platform system safe from be being stolen by a user.
The Problem:
The platform directory is 500 owned by the apache user. This is good and keeps the shell users from being able to view the files and still allows apache to read and exec the php files. However, one could conceivably create a PHP script (which runs as apache) to parse the directory listing, copy the files and give them as a zip download or something to the person. Obviously this obscure and more or less unlikely but still possible.
Is there any way to prevent this? IE blacklist that directory from fopen, shell, and shell_exec commands?
For that matter, is there a way to do this in such away that works for all server side scripting languages such as perl, in addition to php?
Possible to do this without suPHP or suExec?
Related
In my application i have to deploy my application on client system.
So is there any way to run my php application without installing xampp...
Because the client should access it as a readymade app without installing anything...
This is the description of my project...
We have to develop an application where the client will have our application he will connect to remote server
Then he will download the data from remote server...
Then he uses that downloaded data using that app
Here my requirement is the user may not have the knowledge of installing the xampp...
So is there any way to run the application in user system just by copying some files
U may suggest me a one click solution (like using installer which will include installation of xampp and copying my data into user system)
I really dont want to use any external software to render no database PHP pages so I did some digging and found that if you run php -S localhost:port in your working directory you basically start a server there.
S is a capital S and not s
I'm a big fan of server2go. I've used it to deploy PHP applications on CD/DVD. It comes with MySQL and is relatively easy to configure. I've even replaced their splash screen with my own so no one knows I'm using it. It's donationware, but I was impressed enough to donate:
server2go-web
With this application, you don't have to install all that other stuff. It's self-contained in this executable and directory.
EDIT: To clarify, server2go does not install anything on the client machine. It runs as an exe only when you specifically want it to. When you click on the .exe file, it launches your PHP application in a browser window, then you can right-click on the server2go icon in the system tray and close it when you're done.
EDIT2: One gotcha: if you want to save data to the MySQL db on the client machine, you'll need to copy serve2go to a directory on the client machine or run it on a writable USB stick. If you run this application off CD/DVD, it will be able to read data from the database, but not write.
The better way is to use PHP Desktop Application. It will allow you to run your PHP Script like a Desktop application and you don't need to install Xampp or any other web server to run.
PHP Desktop Application
After downloading the .Zip file unzips it to any folder that you like. After unzipping, Go to the folder, and there you can see a folder "www". Delete all the files contained in it and move all your php script to it.
Once you moved all your files into it. Run the .Exe file named "PHP desktop-chrome"
It will open your PHP Script really like a Desktop Application.
This script doesn't require any kind of server software like Xampp, Wamp, Etc installed in your PC.
You can either host the php application or install the application into one system as server and call in client system using the ip of the server system like the following
http://**ip address/php file name
If you don't want your client to install anything then you should create Client Server architecture, there is no another way.
PHP Application are not meant to be deployed on multiple clients. It's meant to be deployed on a webserver (your own server with sth. like IIS or XAMPP) so the clients can access it via their browser and doesn't have to install anything more.
If you want to deploy applications on the client pc's i recommened an other programming language like Java or C/C++.
I simply used xampp zip version so i copied my application into htdocs and the whole xampp is given to the customer so he simply running the application eazily without installation.
Make sure you have installed php from https://www.php.net/downloads.php. Once installed add it to path. Lastly type php -S localhost:8000
PHP needs to be installed on the machine it is running at in order to make sure it works. Since the app may grow and may require extension installing, PHP upgrading over time, hosting this on a client machine is not a very easy task in terms of management. You may want to host your project on a server and write a small bash script sending requests to the API.
If, for some reason you cannot host this on a server where your clients would send requests via the bash scripts, then you may want to install only PHP. If it does not need to listen to HTTP requests, then you do not need a server, you can just implement the PHP application and create a bash script so the user will be able to run it from the UI of their operating system.
No, you need some kind of server - Wamp, Xampp, etc.
You can host it online, and then he can just browse it from his PC.
I am working a LAMP web app running on Ubuntu 11.10.
I followed instructions on the web to harden my apache, php and mysql.
I have a PHP script which work fine when I run from the command line under my own id. But when I put the scripts into the web app framework, it can't not even open a log file to write (in /tmp) and it can't read other files in /var/www/myapp/html as well.
I used Ajax to retrieve file contents on the server and then serve those files to the browser. So my url will look like: "php/myphpscript.php?arg=.......".
My directory structure is
/var/www/myapp/html|php|js|cfg.
I know this problem has something to do with permission, security but I am quite at loss.
Can someone describe what I need to do here?
Thanks,
I suspect you copied the files with your username, but apache executes as user www-data an thus has no access to your files. Either change them to belong to the apache user, or if you are the only develper on this machine, cahnge apache to run as you.
I need a simple "development" server for php, e.g. not apache.
In a modern environment, such as node.js, I can run node server.js inside any folder, and it will run as a server running the site specified by server.js. I can then run another node process from a different folder, and the two servers will never interfere or get in each other's way.
Is there a similar setup for php?
With apache, it seems to me that I need to "configure" the server ahead of time; I can't just drop into some folder and serve its content on some arbitrary port.
I want a command that I can use to run a php server from inside some folder, with minimum amount of configuration, for the purpose of being a development/testing only server.
For instance, suppose this server is called sps, then, I should be able to:
cd ~/code/proj1
sps
Perhaps it could require a simple config file, sps.conf that specifies the port number the server should listen to, plus maybe information about the database connection; but nothing more.
Does such a tool exist for php?
With the current version of PHP (< 5.4), you indeed have to configure a webserver (Apache, nginx, ...) to serve the directory in which you'll have your website -- the directory in which you'll work.
Generally, though, you'll only have a couple of websites, which means you won't have to re-configure your webserver too often.
And if you often have to create / test some small scripts, just create an Apache VirtualHost that points to some tests directory, in which you'll put all your test scripts (I have exactly that on my computer).
With PHP 5.4 (currently in alpha -- so not to be used on a production server just yet ^^), you'll have a built-in web server, which should pretty much answer your question.
try XAMPP Lite version http://www.apachefriends.org/en/xampp-windows.html
Is there a way to distribute a PHP program like a desktop app, so that even if the user of the app doesn't have a local server environment setup on there PCs, the app will still work?
I was thinking, if there was some type of portable server environment program which includes PHP/Apache, then we could create a batch file which when clicked would start up apache in the portable program and launch the PHP app in the user's default browser. That way PHP apps could be distributed like desktop apps.
But the question is, is there such a portable server environment program that can be used for this?
Yes, if you google for XAMPP portable, you can find several versions of fully portable, fully functioning xampp servers for the go. You would have to make sure it contains all the security settings and extensions you need.
The file your user launches should be an .html file to be sure it opens in your browser. As you need to point the user to his own localhost to run your app (otherwise PHP won't be executed and he'd see a plain html file), you'd have to create a redirect, possibly using javascript or a simple "click here to start" link.
The XAMPP only provides half of the solution:
In addition to the XAMPP you can use Phar files that give you the ability to package your PHP applications as a unit for installation and/or deployment.
You can configure a separate php file which will handle any database creations and initial configuration which can be set to run on the first time.
For a helpful start guide consider the following link:
http://phpmaster.com/packaging-your-apps-with-phar/
Finally if you want to make it seamless (easier) to the user, consider writing a Batch script which will handle running some of the task required (Such as starting apache and mysql and running run.php). Take note of using relative rather than absolute directories to make script development easier.
How can you allow a PHP script to write to a file with high-security restrictions, such as only allowing a single user to write to it?
The difficulty seems to be that a PHP script is running as a low-permissions user (maybe apache, or www, or nobody?), and even if I chown apache the_writable_file, the directory it's in might not be writable for the low-level user. In general, what's the usual way that PHP can work with local files in a secure way?
Unfortunately, in shared hosts that use mod_php, there is no way to restrict access to secure files to your web app and login user.
The solution is to run your web app as your login user. When you do that, UNIX file permissions can correctly lock everyone else out. There are several ways to implement that, including SuExec, suPHP, or running PHP with FastCGI with mod_fcgid or mod_proxy_fcgid. FastCGI is my favorite way.
Another solution is to use a dedicated host or virtual private server.
Sure, chgrp apache the_writable_file and chmod g+w the_writable_file. After that, only your secure user and the apache user will be able to write to the file. Since the apache user is typically forbidden from logging in, you only have to worry about web users writing to your secure file using through the http daemon.
All the containing folders need to have execute permissions.
For example, if the file's in /foo/bar/the_writable_file, the directories "foo" and "bar" both need to have executable permission to access the_writable_file, even if they don't have read/write permission.