Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / how to restrict php's rights on file system?

DBPro Master
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 28th May 2017 01:16
Due to the nature of a project I've been working on, I need my web server to access files outside of the document root. I did so by creating a hard link because I need the directory to be searchable using scandir(). Using an Apache alias made the files accessible but I couldn't retrieve a directory listing of the files. (in other words, I had to know the file name of what I was accessing). Eventually, I stumbled upon symlink.

This however poses a possible security concern to me. Since I can delete files programmatically from php now, I feel if my server was to be compromised then an attacker could potentially delete all those files outside the server's root as well. Is there a way to restrict access to read only? I could change the folder permissions but then wouldn't that prevent everything from being able to write? Is there a way to create a separate php user to use on the server so I can set specific permissions to the file system without having to affect the admin?

Hope that made sense to someone.

"I like offending people, because I think people who get offended should be offended." - Linus Torvalds
Years of Service
User Offline
Joined: 28th Jan 2006
Location: Capital of the Evil Empire
Posted: 9th Jun 2017 19:53
Yeah, pretty much. Ive been there lol.
You know that giant on/off switch for the PHP my-admin that you control wich comments somewhere near the top of the your
Quote: "#
# PHPMyAdmin
Alias /pma "/usr/local/www/phpMyAdmin/"
# !!! ON !!!
# <Directory "/usr/local/www/phpMyAdmin/">
# Options none
# AllowOverride Limit
# Order Deny,Allow
# Require all granted
# </Directory>

# !! OFF !!
<Directory "/usr/local/www/phpMyAdmin/">
Options none
AllowOverride Limit
Order Deny,Allow
Deny from all

I just keep the ON part commented out unless i need to access the database. I mean you could make a script to turn it on and off somehow, i just dont know how.

Your signature has been erased by a mod

Login to post a reply

Server time is: 2022-12-04 08:37:35
Your offset time is: 2022-12-04 08:37:35