Geek Answers Handbook

Apache does not allow me to enter folders belonging to other users

I am trying to configure PHP sessions for suPHP (see here ). I need my php verification file to belong to the user, so that when suPHP starts, it will do it for the correct user. However, I also do not want the user to have access to this file, ow they can edit it to just return true, and then check the database.

My first attempt was something like this (where Apache works as a www-data user)

 /etc/validate β”œβ”€β”€ [drwx------ www-data ] user1 β”‚  └── [-rwx------ user1 ] validate.php /var/www/ └── [drwx------ user1 ] user1 └── [-rwx------ user1 ] index.html

Then redirect the web pages to the verification page that will be checked, and then return /var/www/user1/index.html

 RewriteCond %{REQUEST_URI} !^/xyz RewriteRule ^(.*) /etc/validate/user1/validate.php?uri=$1

However, suPHP complains that I am accessing something outside of my docroot ( /var/www/user1 ). I do not want docroot to / and update the suphp.conf file suphp.conf that check_vhost_docroot=false does not fix it (and I do not want to fix it). So instead, I just moved /etc/validate to /var/www like that (it's a little dirty, I know)

 /var/www/ └── [drwx------ user1 ] user1 β”œβ”€β”€ [-rwx------ user1 ] index.html └── [dr-x------ www-data ] validate └── [-rwx------ user1 ] validate.php

So, now the confirmation file

  • Inside docroot
  • Owned by user1
  • Not editable by user1

But now, if I try to load the page, I get the following error

 Directory /var/www/user1/validate is not owned by user1

At this point, I'm losing patience, so I just insert another stub folder there, so the file structure looks like this

 /var/www/ └── [drwx------ user1 ] user1 β”œβ”€β”€ [-rwx------ user1 ] index.html └── [dr-x------ www-data ] validate └── [drwx------ user1 ] dummy └── [-rwx------ user1 ] validate.php

Now when I try to load the page, Apache tells me: "You do not have permission to access xyz on this server." where xyz is what comes after my domain name. I do not know why Apache tells me this because I am not trying to access the final values ​​as a file / folder. I think the redirect does not work, and Apache simply assumes that it is a hard link that fails.

Can someone tell me what I'm doing wrong, or provide an alternative way to prevent users from editing their files. It could not get into the dummy directory, since its permissions were rwx------ , and only user1 could cd into it. When I changed the permissions from 0700 to 0755 , it returned to suPHP errors. So now the question is: how can I get suPHP to execute scripts when one of its directories above belongs to someone else?

EDIT: Now I understand why Apache complained. He could not get into

+1
source share
3 answers

I can not find any official link for this, but according to this site:

All files and directories MUST be the owners of your username, and not "nobody" or another name / number. If it doesn’t belong to you, suPHP will refuse to run the script and create a β€œ500 Internal Server Error”.

I can understand the files, but I don’t see the need for directories to belong to you. I found one patch on the Internet (see here ), but I don’t know if it works or not, since I have not tested it yet.

EDIT:. It is possible to allow users to access scripts outside their docroot (via suPHP_GlobalDocRoot ). I can't get it to work for me, Apache claims this is a syntax error. In any case, even if it worked, it would still require at least access 0111 (and possibly also read 0555 ) in all directories up to / .

Thus, I am sure that there is absolutely no solution to the problem. Therefore, I accept this as an answer. I will choose a different answer if someone can provide it.

+1
source

I could be wrong, but if suPHP works as I remember, then PHP runs under a user (in this case user1) not like Apache (www-data), and in this case www-data) is the only one with read and write access to verification file, and user1 is not www data.

The solution, I think, was to provide read permission for everyone to check and write permission only on www-data. So:

 /var/www/ └── [drwx------ user1 ] user1 β”œβ”€β”€ [-rwx------ user1 ] index.html └── [dr-x---r-- www-data ] validate └── [-rwx------ user1 ] validate.php

With the above, user1 cannot edit the verification file, just read it.

You can also try:

 /var/www/ └── [drwx------ user1 ] user1 β”œβ”€β”€ [-rwx------ user1 ] index.html └── [dr-x-----x www-data ] validate └── [-rwx------ user1 ] validate.php

I have always been confused with how "execution" works, but I believe the idea is that the file can be launched (executed) by the user, but not read or written. But this would require validate , so if it is a script, this might not work. Someone else can confirm this.

0
source

There are many configuration options for suPHP, and without them I cannot give an exact answer, so I assume that you are using a fairly standard configuration, because if you do not have it configured quite strictly then you enter so many available holes that it makes no sense to use him.

  • PHP scripts must belong to a non-privileged UID
  • The path back / must belong to the same UID or root.
  • If the script or any parent directory cannot be written by another user UID.
  • The script is executed in the user UID.

This is part of the formal suPHP provisioning model, and if you want to change it, then do not use suPHP.

The user can define their own path for loading PHP.ini. By default, the user can specify custom php.ini and IIRC, you can not disable the suPHP_ConfigPath option. After all, you are using php-cgi in the user UIDs. Thus, this means that even if you set auto_prepend_file (which can be owned by root and cannot be written using the UID), then a knowledgeable user can still get around this.

My simple question is: why are you using PHP, or at least suPHP, the installed PHP handler to do what you are trying to achieve here? Store PHP for privileged user and user functions. Use a CGI script or even RewriteMap and the prg: parameter for these "system" functions. You can even trivially implement this in PHP if this is your preferred language, as this will be done using php-cli. There are many guides to writing Map prg functions. They are pretty easy to implement.

0
source

More articles:


All Articles