php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67712 Option to disable php_engine if file owner uid == getuid for webserver security
Submitted: 2014-07-30 06:24 UTC Modified: 2020-02-02 17:56 UTC
From: phpbugreq dot fileowner at sub dot noloop dot net Assigned:
Status: Suspended Package: Apache2 related
PHP Version: Irrelevant OS: UNIX
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
42 - 33 = ?
Subscribe to this entry?

 
 [2014-07-30 06:24 UTC] phpbugreq dot fileowner at sub dot noloop dot net
Description:
------------
This is a simple feature request that might improve security for hosts configured with a run-of-the-mill apache2+mod_php "LAMP stack":

I propose a new option in php.ini, for example "exec_deny_fileowner_self = On" (default "Off").

If set, when starting to execute a script, the PHP engine checks the script's file owner uid on disk against the currently running process' uid. If they match, execution is disabled.

The idea is to prevent exploits in upload directories. A file upload via some PHP script would normally be written to disk with a unix file owner set to that of the webserver (for example "nobody" or "www-data"). A subsequent request to execute the uploaded file will then fail, because the file's owner uid is equal to the current uid of the executing apache process.

It should be sufficient to perform the check only on the main script file before execution starts; included/required files can probably be skipped.

This would be very useful for hosting setups where PHP applications are deployed by regular users onto a common apache2+mod_php setup. Of course, it would break things like wordpress plugin installations andauto-update (which requires the files to be writeable by the web server), in which case the option should be kept disabled.

I'm aware that apache can be configured to disable PHP conditionally on directories etc, but it can be easy to miss a location with many virtualhosts and sites on a server. A simple optional setting like this could arguably prevent a lot of common exploits for a relatively low performance hit of a single file stat per script.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-02 17:56 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2020-02-02 17:56 UTC] cmb@php.net
This feature requires discussion on the internals mailing list,
and potentially the RFC process[1].  For the time being, I'm
suspending this ticket.

[1] <https://wiki.php.net/rfc/howto>
 [2020-02-02 19:40 UTC] bugreports at gmail dot com
don't bring back safe_mode which brought more problems as it ever solved 10 years after we got rid of it

https://www.php.net/manual/en/features.safe-mode.php
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 05:01:28 2024 UTC