PHP :: Bug #41768 :: exec, passthru, popen... don't passthru Impersonation context

Bug #41768	exec, passthru, popen... don't passthru Impersonation context
Submitted:	2007-06-21 18:16 UTC	Modified:	2007-06-21 22:34 UTC
From:	aheckmann at m-s dot de	Assigned:
Status:	Not a bug	Package:	IIS related
PHP Version:	5.2.3	OS:	Windows 2000 / IIS
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	aheckmann at m-s dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-06-21 18:16 UTC] aheckmann at m-s dot de

Description:
------------
I run php as fastcgi on Win2000 / IIS with Zend Enabler (FASTCGI-Handler). 

The Webserver uses impersonation for its virtual hosts, the worker process is running as user
IWAM_SERVERNAME the scripts (.asp/.php) impersonate to the security context of user IUSR_SERVERNAME.

In fastcgi.conf (for ZendEnabler) Impersonate="1" is set,
in php.ini fcgi.impersonate=1 is set.

So the php scripts now also use the impersonated security context. (As expected.)

But if I start a external process (Imagemagick) with exec(),passthru(),popen() or proc_open() this external process uses the default security context in my example the user IWAM_SERVERNAME.

So all the permissions set for the virtual host user (IUSR_SERVERNAME)
do not work for the external process because it runs as IWAM_SERVERNAME and so I get a permission denied.

As I understand this is the default behaviour in windows process modell when creating a new process with WinApi-function CreateProcess().
In my opinion it would be better to use CreateProcessAsUser() in php so the new Process will also use the impersonated SecurityContext.
(when php.ini fcgi.impersonate=1 is set)

I think this feature would be very useful to keep security in virtual hosting environments on IIS high (seperate permissions for virtual hosts), with the upcoming Microsoft-FCGI-ISAP-Handler the IIS installations with PHP will surely raise and this feature will become much more relevant.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-06-21 22:34 UTC] johannes@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

Please report this to Zend. PHP doesn't know about things like a "impersonated security context".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat May 04 05:01:30 2024 UTC