samf

Hi There,

This is a Linux user security issue relating to PHP running as nobody.

I'm working on development strategies for my server. I'm about to start a large company and need very specific access for employees. I have PHP running as "nobody" as far as whoami.

My goal is to have Linux users that are members of a group or groups; these kind of permissions will apply on public files, so the owner is the user, the group is any number of groups they belong to, and the file is world readable/executable.

However on sensitive files, want php to access but not other users except a few. The idea is to assign the owner of the file as a privileged persion, but the GROUP as nobody. and the file NOT world readable/executable.

This way, the privileged user and PHP alone can view or work with this file; noone else can.

The problem is, it's not working!! PHP can't access a file I've created. Here's the structure going down to this file...

1. folder: rbase set to rwxr-x---, the group=nobody and the user=rbase.

2. folder: rbase/systeam set to rwxr-x---, the group=nobody and the user=system (my SysAdmin Team)

3. file: rbase/systeam/config.php set to rwxr-x---, the group=nobody and the user=systeam.

I can log in as systeam and see this, but PHP cannot read this. Is it possible that the user "nobody" has not been assigned to the group "nobody"? And how can I tell?

The other issue is that if nobody isn't a member of group nobody, the chgrp manual says I can't do this while nobody has processes running (which he does). Do I need to shut down apache and PHP as well?

Thanks for your help, I really thought I had a handle on Linux permissions until I encountered this problem.

Sincerely,
Sam Fullman
Compass Point Media

Dolda2000

It's very possible that PHP isn't running with GID=nobody. It probably doesn't go through the entire login process, but only sets its UID to nobody.
Here's what I'd do. I'd create a special user called php and a corresponding group called php, and have PHP running with those, instead of using nobody. Nobody isn't necessarily hard to gain access to, and hence no sensitive data should ever be readable by nobody. nobody is supposed to be used only as a low-permission user. Also, I'd make the file owned by php, and have the group as the ones to be allowed to edit it. That way, you can have several people editing it. I wouldn't have only one user for the entire sysadmin team either. Just add them all to a certain group (adm, preferrably).
Checking how PHP runs is the easiest thing in the world. Just check the /proc/?/status file for the UID and GID fields. There are four values, the real ID, effect ID, save ID and filesystem ID, in that order. Just check so that it is what you want it to be.

samf

Thanks for your reply. I've heard someone else recommend PHP run as user php.

The reason I wanted to have the group be php and not the user is this:
Since these files are going to have NO rwx to the world, PHP has to get in as either the user or group of the file. If I have team members creating files, the file by default is going to be their default user and default group. (Unless they're in group php, which makes all of this useless anyway).

Either way, the creator of the file has to remember to cede either ownership of the file or group membership of the file to the user php, or am I missing something here? In other words, if they have ftp access as themselves, all files they create will have their user name and default group or am I wrong.

CAN YOU TELL ME HOW TO CHANGE THE USER PHP RUNS UNDER? OR IS THIS AN APACHE THING? I'M NEW TO THIS AREA SO DETAILED INSTRUCTIONS WOULD BE HELPFUL. These were your instructions and I couldn't understand:

What is the question mark? Could you explain this a bit more? Thanks!!


I will definitely work on your suggestion of having multiple team members under SysTeam also.

Sincerely,
Sam Fullman

Dolda2000

I'm guessing that your usage of PHP is under apache, right? In that case, as far as I've informed myself, PHP is just loaded as a shared lib by the apache processes, so it's really apache running as a certain user, not PHP. If so, you configure what user/group it runs as in /etc/httpd/conf/httpd.conf (at least that's the path on my systems; I don't know if yours might be using a different one), using the "User" and "Group" directives. Just search for them in the config file, and you're sure to find them. I thought you knew how to set this? Wasn't it you who changed it to run as nobody?
On most installations, Apache by default runs with both user and group set to the apache user and apache group, which I find to be a rather fine idea that I wouldn't change, unless I'd have good reasons to do so.

The question mark is supposed to be substituted for the PID of the process you want to check. If you don't know your /proc filesystem, I suggest that you check it out, since there are a lot of goodies in there. (There is "man 5 proc", but it's pretty outdated; it's from -96, or Linux 1.3.11)
The /proc filesystem contains live data delivered directly from the kernel. It contains subdirectories corresponding to each process in the system, plus a lot of other things, such as a filesystem interface directly into the sysctl variables. In the directories for each process, you can examine the process' status, their opened files, their memory mappings, argv and envp, and some other things.

No, that's quite correct, but I don't really see how running apache as nobody is going to help? It's not like ordinary users can "give" files to nobody, and it's most certainly not like nobody can just read any files.
There are two simple ways to correct this. One is to create a SUID-root program that just calls chown on a file to make it belong to the apache user. The other to modify the "upload" (or whatever you call it) directory for the FTP, and/or the directory that contains the PHP scripts, to belong to apache's group and chmod it to 2755 (the last three can be whatever you want, just preserve the SGID bit). If you didn't know it, SGID on a directory means that all files created in it will automatically be made to belong to the group that the directory has. It can be quite practical.

Btw., if you'd care to hire me as a remote sysadmin, I'd be eternally grateful; I don't have a good job... :-)

samf

Doldaa,

If you'd like to communicate with me via email I'd be happy to discuss that with you my email is

s
a
m

dot

f u l l ma n "AT" V
e
rizo
n dot
net



And I'm looking at your suggestions.
Sam Fullman

andutt

You can decide wich users the apache services should run as, in httpd.conf , its good to change the user to some username and group you have created your self. This can be realy good in a security angle. To set upp webbservices really "safe" you chould use chroot, That will trap all processes that you want in a "jail".

Regards

__________________
Regards

Andutt

Dolda2000

Yeah, but setting httpd in a chroot jail isn't always a good idea, for obvious reasons. It all depends on your setup, of course.

andutt

Why?? a chrooted webserver is good webserver..

__________________
Regards

Andutt

Dolda2000

Not if you want to display pages from the entire filesystem, like publishing the UserDirs, for example. For many installations it may be a good thing, but I couldn't do it on my home installation for such reasons.