I have a script and i d like to access to home directories of users in a Linux Environment.
Web root : /var/www/html/
And there are user directories such as : /home/john
/home/david
etc.
There are files in users home directories. The permissions of user homes belong to the users. eg:
/home/david/file.txt user: david group: david
Is it possible to access these files with apache? I assume it s not because of the permission,
Is there a way around this ?
in other words, my php program under /var/www/html/index.php can acccess the files under /home/david/foo.txt
How can i get this done? Thanks.
The best way would be to have the users place the specific needed files into a pub directory, then chmod 777 that directory.
If you want to access arbitrary files in the home directory, you have to run Apache as root, which is a big security risk. (While you could change the permissions of the home directory, this can mess up a lot of programs, in my experience.)
Maybe I am a bit paranoid when it comes to these things, but in my opinion there is something conceptually wrong here:
A script, that is exposed to the web should never be given access to users' home directories. One reason for saying that is that a compromise of the web server might result in exposure of files in the home directories to anyone who can access the web server. Another reason is that files in the home directories are (at least to my understanding) a place where users keep more or less personal/private files that should not be available to other users. Otherwise they would have placed it in a public directory.
While I am not sure what your use case is, I suggest it might be better to use a different concept where Apache does not need access to the home directories of other users in the first place.
Related
So I have a PHP application. The permissions are set to appropriate ones for www-data user and group. The problem is that I have files being generated by another server process (a java process) running under a different user that PHP needs to access. They are also in another directory not registered with the vhost.
So I'm trying to figure out the best way to do this. I think I can create a symlink to that directory in my php folder that's already accessible via the virtualhost (checking to make sure apache is following symlinks). So then I will still have to change the permissions on the actual files, right--maybe add www-data to the group that creates those files? Does that mean www-data would potentially have access to all the files owned by that group? Are the apache directory permissions enough to prevent a potential attacker from moving outside the directory with those specific files I want served?
Alternatively I could create a new virtualhost that runs under the user that owns those files, and just access the files via a different subdomain.
I could potentially see about creating the files as owned by the www-data group and having group read permissions on the files.
Anyway, just seeing whether there's a standard best practice for this issue.
I was wondering is it possible to access a folder not inside the web server? Say for eg. I have a Xammp Installation and inside the htdocs folder I have a web app called MySite which have an Upload Folder
What I wanted to do is redirect all my uploads instead of going to and being saved into MySite\Uploads it will be saved into D:\Data\Uploads.
Is this possible, I presume this should have already been asked many times and answered many times, but I wasnt able to find the right answer maybe because I haven't pinned the right question.
Please help.
it is possible if the webserver has write rights in that folder.
for example if you do a:
file_put_contents("absolute_path_where_you_want_to_save", $file_contents);
It will work if the user executing the php script has the correct rights (write) to do so.
This is specially useful when READING files that are outside the webserver, for example to retrieve mysql user and password from a file that can't be read even if someone gains access to the folders of your webserver.
I have the following code:
mkdir($thumb_dir)
which creates a directory in the proper location, but when I view the permissions it is
Owner : nobody
Group : nobody
I don't have shell access to chown. How do I prevent the user assigned as nobody and how do I delete the folder that I have already made since I don't have permission.
It's a godaddy shared server...
you can delete empty directories with rmdir().
nobody is the user that runs the apache process. You can't change the owner from within php, nor you can delete the folder using shell access (or make any changes on it whatsoever) without root permissions; you can manipulate it only through php
This happens because the Web server is run by the nobody user. Therefore, everything you do on the file system will be done with the privileges of nobody.
There is typically no way for you to change anything about that. You'll have to manage with the Apache user being different from the FTP user you have. If you create a directory with PHP, you'll only be able to delete it with PHP (using rmdir() when the directory is empty), and if you create files you will most likely have to delete them from PHP as well.
I suggest that you create your directory structure with your FTP user and keep as little PHP-generated content around as possible because of that.
You can alleviate the symptoms using permissive authorizations (with chmod), but that's generally not a super good idea security-wise.
Use rmdir($thumb_dir); to delete it.
You cannot change your PHP user on a shared server.
I'm developing a WYSIWYG type site builder in JS for people who don't know HTML/CSS. It's all done, but I want to make this as simple as possible. In a perfect world, they'd just upload all the files to their host and be done with it. The problem I'm having is, I have some files and folders that need writing to, but PHP doesn't have permission unless I CHMOD those specific files and folders to 777.
I really don't want to do this and was hoping I had some alternative, nor do I want to be criticized for forcing CHMOD 777 upon everyone. Is there anything I can do (that would be simple for my users) to allow PHP to write to files/folders without having to grant permission to EVERYONE?
I can't have PHP create the files/folders itself because it doesn't have access to write to the root directory either.
You could chgrp the files to the web server's group (or PHP's, if it's set up to run as its own user) and chmod 770 them. But that wouldn't get you much securitywise.
Alternatively, you could do what some other PHP CMSes (like Joomla) do -- when a file needs to be modified, have the server connect back to itself via FTP (with the site owner's credentials) and upload the replacement file.
Truth be told, though, any way you choose to allow people to modify files on the server is going to have its pitfalls, and securitywise will generally be almost as bad as making the whole site world-writable. No matter how you do it, i suggest you make damn sure your authentication and access control mechanisms are up to snuff, as you're taking those responsibilities upon yourself especially when you allow web users to edit files.
Have the users CHMOD 777 the root directory, have your script create the new folder, and then have them restore the root directory's permissions.
I've been wondering: is it possible to shield a directory/file on a server from the outside world, but make it accessible to PHP?
It's fairly simple. I'm caching webpages on my server with PHP in a certain directory, but I do not want web users to view these files or this directory directly. PHP, on the other hand, must be able to access these files (to serve them to the user). That may sound not logical, but what I'm trying to do is restrict users certain pages and still be able to cache them in a webserver-savvy format.
Preferably something with .htaccess or chmod.
Thanks!
Absolutely-- in fact, you don't need to use .htaccess. Simply put the protected directory above your document root (that is, store it next to the folder where your PHP scripts are store, typically "htdocs," "httpdocs" or sometimes just "www').
So your web files would be in /my/folders/httpdocs/, and your "protected" files would be in /my/folders/protected_folder/
The idea here is that PHP can access any folder on the server, but Apache won't let the user navigate "above" the root directory.
To access the directory, you can use:
$protected_path = $_SERVER['DOCUMENT_ROOT'].'/../protected_folder/';
(Incidentally, you mentioned you're doing this to cache pages-- you might want to look at Smarty, the PHP template engine, which pre-compiles your templates and also supports really smart caching. And in fact, one of the Smarty "best practices" is to configure your structure so the template and cache files are not in or below the document_root folder, so users coming in from Apache can never get to them, but the Smarty PHP code can easily grab whatever it needs from there.)
Sure, just place the files in a directory outside of your web root. For instance, if your web root is /usr/local/apache/htdocs/ you can create a /usr/local/apache/private_cache/ directory that PHP should have access to, but there is no way to get to it via a web request.
You can also put a .htaccess file consisting of the line deny from all in the directory you want to protect. That will prevent Apache (but not PHP) from serving up the files.