All geek questions in one place

Can PHP move and edit root system files on a server?

this may seem like a silly question, but I haven't found anything.

I always thought of PHP as a language for creating sites with a dynamic database foundation, and I never thought of using it to move system files on the actual server (since I never had to do this). My question is:

  • Can a standard PHP 5.3.xx installation move, copy, or edit system files (I use Linux as an example) to / bin or possibly / etc?
  • Is this a good idea / practice?

It never occurred to me that if an attacker could inject some PHP into a site, he would be given access to the entire Linux server (and all its system files). I only thought of PHP as something that works in the / vhosts directory (perhaps naively).

Sorry if this sounds like a silly question, but I can't really test my theory, as if my boss should see me writing / unloading / executing a script that moves things on the Linux file system, is dead.

Thanks for the help guys! :)

+4
source share
3 answers

PHP can access your server no matter what permissions the user account runs, as they allow it. PHP as a language is not limited in any way (at least in terms of permissions), it is a user account that is limited.

This is why people usually create a user for the Apache / nginx / insert web server here to run it, and only provide permissions to manage files and directories associated with the web server. If you do not give these users access rights to /bin or /etc , he will not be able to do anything that will affect them.

Is this a good idea / practice?

Usually not. Leave system administration to your sysadmin, not to the user requesting your PHP scripts.

+3
source

Yes maybe. His programming language, he can do anything .

It all depends on who runs it. If its root it can do anything. If its a regular custom bean. He cannot do much outside the home /home/bob . Apache is also similar to bob. Apache usually works under the names www-data, www, apache.

+1
source

PHP may try to invoke many system commands to move or directly edit files on the hard drive. Whether this is successful depends on the security settings.

Suppose your PHP launch through apache and apache is configured to run all processes as user www data - the default setting for an OS such as Debian. If you give the user permission to www-data for editing / etc, then yes, PHP can read and write files to / etc

There is only one major flaw that you have identified; security, safety and security. You can also be sure that your PHP is working correctly, since 1 incorrectly written file can now delete the entire server.

I definitely will not train on your server for your bosses either. Look at getting a cheap virtual machine, either hosted elsewhere, or on your own VirtualBox replicated computer

+1
source

Source: https://habr.com/ru/post/1389424/

More articles:


All Articles