PHP 的 SUID 问题阿帕奇
好吧,不知道我在这里缺少什么。我正在尝试使用可通过网络访问的 PHP 脚本重命名一些文件,而不授予这些文件的全局写入权限。所以我尝试在 PHP 脚本上使用 SUID(也尝试过 shell 脚本)。
有三个用户发挥作用,我们称他们为 APACHE、MATT 和 BRIAN。 还有一个名为 WEBDEV 的组,MATT 和 BRIAN 都在其中。 有两个文件需要重命名。一张为 MATT 所有,另一张为 BRIAN 所有。这两个文件组的所有者都是 WEBDEV。
-rw-rw-r-- 1 MATT WEBDEV 126179 Jun 20 12:03 g5g55.jpg
-rw-rw-r-- 1 BRIAN WEBDEV 41588 Jul 14 2006 g2g22.jpg
因此,要在浏览器中访问的 PHP 脚本(称为 rename.php)以 APACHE 运行。它无法重命名这些文件中的任何一个。自然。因此,我尝试的第一件事(我认为无论如何都行不通)是将 PHP 脚本 SUID 为 MATT。
su MATT
chmod u+s /path/to/rename.php //also tried g+s
正如我所料,没有骰子。所以我编写了第二个脚本,名为 move.php。
#!/usr/bin/php
//code to move file
然后 SUID 该脚本。
su MATT
chmod u+s /path/to/move.php //also tried g+s
然后,从原始的网络访问脚本 rename.php 中,我调用:
shell_exec('/path/to/move.php');
我对这个有更高的希望,不再骰子了。所以我认为由于 PHP 解释器或 Apache 的原因,它无法正常工作。现在我尝试同样的事情,但是使用一个名为 move.sh 的新 shell 脚本从 rename.php 执行。
#!/bin/bash
//code to move file
再次它不起作用。如果我从 shell 作为 MATT 执行文件 move.php 或 move.sh,它工作正常。不知道为什么这不起作用,或者我如何让它与 SUID 一起工作,而不是使用 sudo 或设置某种可以从适当特权用户的 cron 中调用的 que。处理这个问题的最佳方法是什么?提前致谢。
更新
为后来偶然发现这一点的人弄清楚了。 SUID 不适用于我的发行版(或大多数发行版)上的 shell 脚本。从 shell 脚本调用的任何后续命令都将以启动该脚本的原始用户身份运行,而不是以设置 SUID 位的用户身份运行。这也适用于 PHP 和您进行的任何 exec 调用,您必须在 /usr/bin/php 上设置 SUID 位,这显然是一个非常糟糕的主意。或者,您可以使用系统调用将 shell 脚本包装在 C 二进制文件中。我将使用 SUDO。
相关信息: https://serverfault.com/questions/282835/apache-mod-php-ignores-suid< /a>
Ok, not sure what I am missing here. I'm trying to rename some files with a web accessible PHP script, without giving world write permissions on those files. So I'm trying to use SUID on a PHP script (also tried a shell script).
There are three users which come into play, we'll call them APACHE, MATT, and BRIAN.
There is also a group called WEBDEV, which MATT and BRIAN are in.
There are two files which need to be renamed. One is owned by MATT, the other by BRIAN. Both files group owner is WEBDEV.
-rw-rw-r-- 1 MATT WEBDEV 126179 Jun 20 12:03 g5g55.jpg
-rw-rw-r-- 1 BRIAN WEBDEV 41588 Jul 14 2006 g2g22.jpg
So my PHP script to be accessed in browser, called rename.php, runs as APACHE. It cannot rename either of these files. Naturally. So the first thing I tried, which I didn't assume would work anyways, was to SUID the PHP script as MATT.
su MATT
chmod u+s /path/to/rename.php //also tried g+s
As I expected, no dice. So I wrote a 2nd script, called move.php.
#!/usr/bin/php
//code to move file
Then SUID that script.
su MATT
chmod u+s /path/to/move.php //also tried g+s
Then from the original web accessed script, rename.php, I call:
shell_exec('/path/to/move.php');
I had higher hopes for this one, no dice again. So I figure it's not working due to the PHP interpreter or Apache again. Now I try the same thing, but with a new shell script called move.sh being exec'd from rename.php.
#!/bin/bash
//code to move file
And again it doesn't work. If I exec the files move.php or move.sh from the shell as MATT, it works fine. Not sure why this isn't working, or how I can make it work with SUID, rather than using sudo or setting up some sort of que that could be called from the properly privileged user's cron. What is the best way to handle this? Thanks in advance.
UPDATE
Got it figured out for anyone who stumbles on this later. SUID doesn't work for shell scripts on my distro (or most for that matter). Any subsequent commands called from a shell script will be run as the original user who launched it, not the user who set the SUID bit. This applies for PHP and any exec calls you make too, you'd have to set the SUID bit on /usr/bin/php, which is obviously a very bad idea. Or you can wrap your shell script in a C binary using a system call. I'm going to use SUDO.
Related info:
https://serverfault.com/questions/282835/apache-mod-php-ignores-suid
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
让所有 3 个用户都属于 WEBDEV 组,然后将所有文件更改为 APACHE、WEBDEV 组拥有的所有文件:
授予组对此目录及其内部所有内容的读写访问权限(-R = 递归)
如您所见,' nux 权限方案非常灵活,需要花点时间才能适应。 这里有更多有趣的示例。
Have all 3 users belong in the group WEBDEV, and then change all files to be owned by APACHE, group WEBDEV:
Give group read write access to this directory, and everything inside of it (-R = recursive)
As you can see, 'nux permission schemes are very flexible and take a little bit of head-banging to get used to. Many more juicy examples here.