|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #64437 [feature request] log of php writes to local files
Submitted: 2013-03-15 23:21 UTC Modified: 2020-09-01 12:16 UTC
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: spamik at yum dot pl Assigned:
Status: Suspended Package: Filesystem function related
PHP Version: 5.4.13 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: spamik at yum dot pl
New email:
PHP Version: OS:


 [2013-03-15 23:21 UTC] spamik at yum dot pl
As you probably know there are a lot of security bugs in current world php 
aplications. Using these bugs attacker executes his own code that writes to a 
new .php files (usualy) or modyfy existing one - putting there his malicious 
"botnet zombie" code.
It is really hard to quick and efectivly detect changes on filesystem/kernel 
level, especialy if where are talking about monitoring milions of directories 
(as in popular shared hosting).

I propose making php file write log (to a file defined in php.ini). Operations 
that write to local files should be logged there (file_put_contents() and all 
fopen() except 'r' and 'r+' mode) Log should contain:
unix_timestamp<SEPARATOR>absolute path of file that used write 
function<SEPARATOR>absolute file of modified file

<SEPARATOR> could be '\0' as it can't be in filename anyway. Other solution 
would be to escape paths as those can contain spaces etc.

most of this code should probably go to ext/standard/file.c
I've made very very crude implementation of this for myself but that is really 
bad code because I lack c skills. It actualy seg faults in some cases. So I wont 
even share it, no point.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-15 23:27 UTC] spamik at yum dot pl
Just to clarify that log would actualy be later on used by user land aplications 
that would scan those files that were writen to.
In light of what is happening with php aplications, mass hacks, botnets, people 
are moving to other languages that are more obscure just for their obscurity. PHP 
really need to counteract and provide functionality like one I propose.
 [2013-03-18 20:23 UTC] spamik at yum dot pl
Only writes to files with selected extensions (by php.ini, like php|htm|html|js) 
should be logged.
 [2013-03-25 22:17 UTC] mail+php at requinix dot net
But a setup shouldn't allow PHP to do anything to files in the first place (with 
possible exceptions for things like file uploads). Directories should be locked 
down to 0755 or better, files to 0644 or better, and the web server/PHP running as 
a very under-privileged user like "nobody". Then there's no risk of creating new 
files or overwriting code or really any kind of modifications at all.
 [2013-03-28 02:39 UTC] spamik at yum dot pl
That might be good in a perfect world but php also needs to write to files - for 
example auto updates, log files, instalation of extensions, file uploads.
Setup you are describing is like 199X year. Nobody can't provide such rescrictive 
eviroments now for hosting because aplications depend of file writes and even 
self-modifying writes (updates).
Also executing code as one user under shared conditions? BIG NO.
apc, fastcgi, fcgid way of running php default setup conforms to what I'm saying.
 [2020-09-01 12:16 UTC]
-Status: Open +Status: Suspended
 [2020-09-01 12:16 UTC]
This feature requires discussion which is beyond the scope of this
bug tracker.  Please send mail to the internals mailing list[1] if
you are still interested in having this feature.  For the time
being, I'm suspending this ticket.

[1] <>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 22 09:01:28 2024 UTC