PHP 即使使用 SUID 也无法更改文件权限?
给定一个脚本 test.php ,其内容如下:
#!/usr/bin/php
<?php
echo exec('whoami');
chmod('test.txt', 0755);
和一个与其自身位于同一目录中的纯文本文件 test.txt ,如果创建这些文件的用户是可以正常工作的运行脚本。但是,如果我按照以下方式执行以下操作:
chown apache:apache test.php test.txt
chmod 4775 test.php
这将使 test.php 能够以“apache”用户身份运行,无论谁在运行它。但是当我在这种情况下运行它时,我收到“警告:chmod():不允许操作”错误。 “whoami”命令回显的用户是通用用户,而不是“apache”用户。
那么,除了授予用户 sudo 访问权限以“apache”运行脚本之外,是否有办法允许 PHP 脚本以特定用户身份运行?
Given a script test.php that has the contents:
#!/usr/bin/php
<?php
echo exec('whoami');
chmod('test.txt', 0755);
and a plain text file test.txt in the same directory as itself, it works fine if the user who created those files runs the script. However, if I do something along the lines of:
chown apache:apache test.php test.txt
chmod 4775 test.php
That gives the test.php the ability to run as the 'apache' user, no matter who's running it. But when I run it in that context, I get a "Warning: chmod(): Operation not permitted" error. And the user that gets echoed by the "whoami" command is the generic user, not the 'apache' user.
So, is there a way to allow a PHP script to run as a particular user, other than granting users sudo access to run the script as 'apache'?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你一定是错过了什么。您要么允许 apache 在不同的用户(sudo/suexec)下执行该文件,要么不允许。然而,这仅仅是配置。所以你应该首先决定你想要实现什么,然后根据需要配置服务器。
因此,如果您想在特定用户下运行 PHP 脚本,可以通过使用 sudo 功能并指定用户来实现。然后 Apache 将在该配置的用户下执行该脚本。
如果您不喜欢使用 sudo 那么,那么,没有其他选项可以在运行 apache 的用户下运行脚本,或者 apache 已配置为用于调用脚本。
因此,做出你想要实现的决定。但如果你想更改用户,我知道的唯一方法(可能还有其他方法,但我对此表示怀疑)是使用 apache sudo 功能。
You must be missing something. Either you allow apache to execute the file under a different user (sudo/suexec) or not. However, this is merely configuration. So you should first decide what you want to achieve and then configure the server as needed.
So if you want to run the PHP script under a particular user, you do this with making use of the sudo functionality and specifying the user. Apache will then execute the script under that configured user.
If you do not like to make use of sudo then, well, then there is no other option then to run the script under the user that runs apache or apache has been configured to use for invoking the scripts.
So make your decision what you want to achieve. But if you want to change the user, the only way I'm aware of (probably there's something else as well but I doubt it) is making use of the apache sudo feature(s).