|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67712 Option to disable php_engine if file owner uid == getuid for webserver security
Submitted: 2014-07-30 06:24 UTC Modified: 2020-02-02 17:56 UTC
From: phpbugreq dot fileowner at sub dot noloop dot net Assigned:
Status: Suspended Package: Apache2 related
PHP Version: Irrelevant OS: UNIX
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-07-30 06:24 UTC] phpbugreq dot fileowner at sub dot noloop dot net
This is a simple feature request that might improve security for hosts configured with a run-of-the-mill apache2+mod_php "LAMP stack":

I propose a new option in php.ini, for example "exec_deny_fileowner_self = On" (default "Off").

If set, when starting to execute a script, the PHP engine checks the script's file owner uid on disk against the currently running process' uid. If they match, execution is disabled.

The idea is to prevent exploits in upload directories. A file upload via some PHP script would normally be written to disk with a unix file owner set to that of the webserver (for example "nobody" or "www-data"). A subsequent request to execute the uploaded file will then fail, because the file's owner uid is equal to the current uid of the executing apache process.

It should be sufficient to perform the check only on the main script file before execution starts; included/required files can probably be skipped.

This would be very useful for hosting setups where PHP applications are deployed by regular users onto a common apache2+mod_php setup. Of course, it would break things like wordpress plugin installations andauto-update (which requires the files to be writeable by the web server), in which case the option should be kept disabled.

I'm aware that apache can be configured to disable PHP conditionally on directories etc, but it can be easy to miss a location with many virtualhosts and sites on a server. A simple optional setting like this could arguably prevent a lot of common exploits for a relatively low performance hit of a single file stat per script.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-02 17:56 UTC]
-Status: Open +Status: Suspended
 [2020-02-02 17:56 UTC]
This feature requires discussion on the internals mailing list,
and potentially the RFC process[1].  For the time being, I'm
suspending this ticket.

[1] <>
 [2020-02-02 19:40 UTC] bugreports at gmail dot com
don't bring back safe_mode which brought more problems as it ever solved 10 years after we got rid of it
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 04:01:25 2020 UTC