Friday, January 28, 2011

PHP Security: Need help understanding SUID

I am reading a book about PHP Security and there's the below I do not really understand, specific part in bold. So say PHP want to move a file that belongs to user A, PHP has to run as user A? Is that allowed? I am not really a system admin but I don't really understand how this makes a server more or less secure

The SUID or Set User ID bit is a UNIX and Linux filesystem permissions feature that enables you to specify that the application in question should always run as the user that owns the binary file—regardless of which user initiates the process

  • I assume we're talking about a web server. Normally, when the web server runs the PHP library (or executable as the case might be), PHP will be run as the web server's user. So if the web server runs as user 'www', PHP will be run as that user as well, and will inherit that user's permissions.

    If you set SUID bit, then PHP will not run as the 'www' user, instead the owner of the PHP program is who the PHP program will run as. So if 'root' owns PHP, then PHP will always run as 'root' with all the associated permissions. This can be very dangerous, as on Unix systems 'root' has limitless power (Admin accounts are second only to the Windows System account and can do very nearly as much damage, plenty bad enough).

    Now, if you want PHP to be able to open a file as user 'joe', then PHP must be running as the user 'joe'. If this is coming from the web server this can only happen in one of two ways (normally). 1. The web server is running as 'joe' and PHP will inherit those permissions. 2. PHP is running as a user who can assume the rights of other users (normally this ability is reserved to 'root').

    Since running the web server as 'joe' isn't practical, it's common to SUID the PHP program and run it as root, then assume the rights of user 'joe'. This can be extremely dangerous as errors in the program could easily allow anyone to break into the server and cause innumerable damage. Also, errors in other parts of the web server could potentially exploit this and again cause damage. For this reason (and others) it is highly encouraged that you do not SUID (unless absolutely necessary) and write programs that do not require it.

    Depending on your exact environment, more details may apply, and some of this may be inaccurate. I tried my best without knowing exactly what you're doing. Also note there's no SUID in Windows, but there's ways to get that functionality when running a web server.

    jiewmeng : thank you, I think you explained ok, I just need sometime to digest
    From Chris S

0 comments:

Post a Comment