runnning php scripts under apache ownership: safe/unsafe

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jeffz2010
Forum Newbie
Posts: 10
Joined: Sat Nov 28, 2009 8:40 am

runnning php scripts under apache ownership: safe/unsafe

Post by jeffz2010 »

What is possible security draw-back of running entire php-based site (all scripts) owned by apache?

Is it easier for net-vermin to break into site's directory - upload some unauthorised script, or edit existing, than it would be if dirs/files are owned by user?

Not really concerned with inability to access scripts through ftp client running as user (not a draw-back for me).
Assumed proper chmod:
- all folders: 755
- file: 644
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: runnning php scripts under apache ownership: safe/unsafe

Post by kaisellgren »

If this is a VPS/a dedicated server, then don't worry about it.
jeffz2010 wrote:What is possible security draw-back of running entire php-based site (all scripts) owned by apache?
I'm not sure I understood that. Apache needs an access to those files or it can't serve them. I'm not Linux/Apache expert, but IIRC, Apache upon starting runs as root and can thus read anything it likes and after it starts the processing of the VirtualHost/site, it becomes nobody and can access any serve-able web content.
jeffz2010 wrote:Assumed proper chmod:
- all folders: 755
- file: 644
As long as the main directory of your user account has proper permissions set, no one else can access anything below it.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: runnning php scripts under apache ownership: safe/unsafe

Post by VladSun »

Also, for 777 chmod-ed directory it's good to set the sticky bit:

Code: Select all

chmod +t directory_name
This way, while other users can create files in this directory, they will not be able to delete files they don't own.

A little bit of security through obscurity is added if you set the immutable attribute of your files:

Code: Select all

chattr +i file_name
This way, nobody (including the owner of the file) may modify, delete or rename this file. You'll need to turn off the -i flag in order to make any changes.
This is not well known behavior, especially by script-kiddies ;)
There are 10 types of people in this world, those who understand binary and those who don't
jeffz2010
Forum Newbie
Posts: 10
Joined: Sat Nov 28, 2009 8:40 am

Re: runnning php scripts under apache ownership: safe/unsafe

Post by jeffz2010 »

This arrangement (scripts under apache ownership) are to avoid using suphp (or similar), which can be a hog on resources, yet allow user:
  • a. to make changes (read, write, delete create files and directories) using interface (no need for ftp/tech knowledge)
  • b. scripts to manipulate permissions, as needed
e.g.: upload image-> make img:directory writeable->move image to img:dir->change dir back to 755,
or allow script to make file writeable, write to file, change permissions to proper 644
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: runnning php scripts under apache ownership: safe/unsafe

Post by kaisellgren »

SuPHP/SuExec are used to make shared hosting a bit more secure environment to host your software. They make sure that the PHP process runs as the owner of the account and thus can't access the entire file-system unlike in case of without them.
Post Reply