Page 2 of 2

Posted: Mon Aug 14, 2006 9:50 am
by Benjamin
scottayy wrote:
astions wrote:Are included files "evaled" or "executed" by the PHP engine?
Absolutely.
That isn't what I meant. What I mean is, if an included file doesn't have execute permissions, can (or will) php still execute it?

Posted: Mon Aug 14, 2006 10:07 am
by Jenk
I *think* it depends on webserver installation, and type of installation. If your are using CGI-BIN install then it will need execute permission, but if it's module then you might be ok without it.

Posted: Mon Aug 14, 2006 10:14 am
by Benjamin
Jenk wrote:I *think* it depends on webserver installation, and type of installation. If your are using CGI-BIN install then it will need execute permission, but if it's module then you might be ok without it.
I decided to test it. I chmod'ed an important include as 0444 (read only), and it didn't cause any problems. :?

Not sure if that is a good thing security wise or not, but never the less it worked fine. Don't know about CGI-BIN install though..

Posted: Mon Aug 14, 2006 10:43 am
by Jenk
the reason behind my previous post is when using CGI-BIN, the file itself is what is executed, where as in a module installation, the server is executing and 'copies' the content from the requested file.

At least, that is what I was thinking.

Posted: Mon Aug 14, 2006 5:31 pm
by volka
http://www.php.net/manual/en/install.windows.apache2.php wrote:Installing as a CGI binary
[...]
Action application/x-httpd-php "/php/php.exe"
It's still the php executable that is ...executed ;)
The script is only read by the php parser.

Posted: Mon Aug 14, 2006 7:14 pm
by Jenk
http://www.php.net/manual/en/security.cgi-bin.default.php wrote:Case 1: only public files served

If your server does not have any content that is not restricted by password or ip based access control, there is no need for these configuration options. If your web server does not allow you to do redirects, or the server does not have a way to communicate to the PHP binary that the request is a safely redirected request, you can specify the option --enable-force-cgi-redirect to the configure script. You still have to make sure your PHP scripts do not rely on one or another way of calling the script, neither by directly http://my.host/cgi-bin/php/dir/script.php nor by redirection http://my.host/dir/script.php.

Redirection can be configured in Apache by using AddHandler and Action directives (see below).
It's the permissions of the files requested that dictate the action, not the permissions of the php.exe.

Posted: Mon Aug 14, 2006 7:39 pm
by Christopher
I think we need to differentiate between executable by the OS and executable by PHP. PHP scripts are not executable by the OS and the term executable is not normally used for them. I believe "run" is usually used for PHP scripts. The PHP program itself must be executable by the OS to be execute. The execute permissions need to be set for the current user for PHP to be able to be executed.

PHP scripts only need to be readable by PHP to be run.

Posted: Mon Aug 14, 2006 7:43 pm
by Jenk
Yes, and with CGI-BIN installs that is on a per customer basis, where as with the module, it's one user for all.

Posted: Mon Aug 14, 2006 8:52 pm
by volka
arborint wrote:I think we need to differentiate between executable by the OS and executable by PHP. PHP scripts are not executable by the OS and the term executable is not normally used for them.
You can have scripts with #!/bin/php as first line and invoke them "directly" from the shell. Then the execute flag is needed (at least with bash it is).
But that's ot, since __autoload implies that php is already running and therefore only read permissions are needed for additional script files.