PHP/CGI security and variable problem

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Mark001
Forum Newbie
Posts: 10
Joined: Sat Mar 15, 2008 11:41 pm

PHP/CGI security and variable problem

Post by Mark001 »

Hello,

I am on a departmental server running the Apache Web server in which the Web space is shared between several users (i.e. the user's public_html directory is aliased with the standard tilde and username). The problem is having secure PHP scripts that access a MySQL database and therefore have to have the database password hard-coded in them (in plaintext). Since PHP scripts run as the "apache" user and group, the PHP files have to have permission to be read (as "group" or "other"); this gives other users permission to read as well, and they could potentially go into my Web directory, read my PHP scripts, discover the one with the database password, and log into my database.

The sysadmin did me a favor by changing the group ownership of my public_html folder to "apache" so I didn't have to provide the o+rwx permissions in order for the pages to be served. Now the folder's user ownership is me and group ownership is apache, so I can exclude other users from reading my files. However, my concern is that other users who have Web space can make their own PHP script that can go into my directory as the apache user. A skilled-enough user can make some kind of file interface using PHP and control it over Web requests.

There is another option: this server is configured to run .cgi files as SETUID (as my own username), which allows me to only give apache the execute permission (without read), since the script will run as me and have user (u) access. This is done by making an ASCII .cgi file, and using the PHP interpreter in the SheBang line:

Code: Select all

#!...php
Content-type: text/html
...
(code goes here)
The problem? I found that when I do this, the special PHP variables don't get set, such as $_POST, $_GET, $_REQUEST, and $_COOKIE. This crashes my PHP script which was designed to use those. Since it's running as a generic interpreted CGI script, the normal PHP modules are not run, and only the standard variables like the query string and post information, are passed to the script. Without the special PHP variables, those have to be parsed manually, and I know this is bad because it can lead to things like buffer-overflow errors if not done very robustly.

I was wondering two things: one, is there some way that I can explicitly load the PHP modules/APIs/libraries/headers so I can get the script to effectively function as though it was a .php file, and get back those variables? Two, is there some other workaround I might not have thought of yet that doesn't require an unreasonable request to the sysadmin? (I am free to use .htaccess, but certain unconventional things like asking for a special PHP-setuid Apache module to be installed or changing the server configuration to run PHP as a CGI binary, are probably not possible here.)

Thanks
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: PHP/CGI security and variable problem

Post by Mordred »

Mark001
Forum Newbie
Posts: 10
Joined: Sat Mar 15, 2008 11:41 pm

Re: PHP/CGI security and variable problem

Post by Mark001 »

Thank you for that link, but I can't change httpd.conf which is read as the root user. Unlike what's said on that page, rather than having a virtual host, I'm actually a user with a public_html directory and this is aliased automatically. (I don't know if the sysadmin could store environment variables specifically for my directory.)

I wonder if .htaccess could do the same thing by storing an environment variable with the DB credentials, but then is .htaccess read by the apache user, by root, or as me by setuid (which I don't think makes sense)?

How about the issue with running my setuid CGI script and calling the PHP interpreter? Isn't there any way I can get the PHP variables back that are lost using this method? (_POST, _GET, _REQUEST, _COOKIE)
Post Reply