[Pmwiki-users] Wiki Article in IX

Reimer Behrends behrends
Wed Mar 31 15:50:12 CST 2004


On Wed, Mar 31, 2004 at 03:29:03PM +0200, Nils Knappmeier wrote:
> Hi,
> 
> >* I'm not sure where the article gets the idea that PmWiki allows
> > write access to PHP scripts, to be honest, except for a few
> > brief moments during installation.
> > 
> >
> As I understand it, the point is that the server has to be configured in 
> a way that allows PHP Script to write on the hard disk, even if executed 
> by a user.

Ah, I see. Then the translation should probably read "allowing write
access for PHP executables" instead of "allowing write access to PHP
executables".

> It's something for the server administrator to consider, not 
> for the one who installs the wiki.
> They're wrong in so far, as there are safety measure like PHP safemode 
> that only gives the user restricted access to the disk.

I'm not sure if there's really "right" and "wrong" here. The Apache/PHP
combination is not exactly the epitome of well-designed security. I
don't have the impression that much thought has been wasted on what
security for dynamically created content under Apache should look like,
and as a result we have a real hash of security policies that do not
cleanly compose (if at all).

Example: To access a MySQL database from PHP, Perl, or some other
scripting language, you need the password to connect. Because the script
runs with Apache's permission, the file containing the password must be
readable using the Apache uid. Because of that, _any_ script running
under Apache can retrieve the password. The only way around that is to
make the script setuid in some form (using suexec, cgiwrap, FastCGI, or
some other approach), which carries its own risks. PHP safe mode will
not help, because you can just use a Perl script (assuming that CGI is
allowed) to access the file, anyway.

> If the server is not running safe mode to restrict access for users to 
> certain directories, the user could indeed destroy the whole /var/www 
> (which is usually owned by www-data or so), because PHP always runs as 
> http-user (even when executed from a user homepage).
> On the other hand, a malicous PHP script in /var/www could be used to 
> destroy your wiki.d directory, since that script would certainly not be 
> running in safemode.

Note that you are not restricting access for _users_. You are
restricting access for _PHP_. Anything that is not PHP can just freely
ignore these restrictions. I.e., I can use a Perl CGI script to write
files instead of using PHP, and wouldn't be limited at all by PHP's safe
mode.

My personal solution has been to use a virtual private server (based on
User Mode Linux or BSD's jail) instead of a virtual shared server.

			Reimer Behrends



More information about the pmwiki-users mailing list