php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67712 Option to disable php_engine if file owner uid == getuid for webserver security
Submitted: 2014-07-30 06:24 UTC Modified: -
From: phpbugreq dot fileowner at sub dot noloop dot net Assigned:
Status: Open Package: Apache2 related
PHP Version: Irrelevant OS: UNIX
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: phpbugreq dot fileowner at sub dot noloop dot net
New email:
PHP Version: OS:

 

 [2014-07-30 06:24 UTC] phpbugreq dot fileowner at sub dot noloop dot net
Description:
------------
This is a simple feature request that might improve security for hosts configured with a run-of-the-mill apache2+mod_php "LAMP stack":

I propose a new option in php.ini, for example "exec_deny_fileowner_self = On" (default "Off").

If set, when starting to execute a script, the PHP engine checks the script's file owner uid on disk against the currently running process' uid. If they match, execution is disabled.

The idea is to prevent exploits in upload directories. A file upload via some PHP script would normally be written to disk with a unix file owner set to that of the webserver (for example "nobody" or "www-data"). A subsequent request to execute the uploaded file will then fail, because the file's owner uid is equal to the current uid of the executing apache process.

It should be sufficient to perform the check only on the main script file before execution starts; included/required files can probably be skipped.

This would be very useful for hosting setups where PHP applications are deployed by regular users onto a common apache2+mod_php setup. Of course, it would break things like wordpress plugin installations andauto-update (which requires the files to be writeable by the web server), in which case the option should be kept disabled.

I'm aware that apache can be configured to disable PHP conditionally on directories etc, but it can be easy to miss a location with many virtualhosts and sites on a server. A simple optional setting like this could arguably prevent a lot of common exploits for a relatively low performance hit of a single file stat per script.


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Dec 11 15:01:25 2019 UTC