about running PHP as nobody, security strategy
This is a Linux user security issue relating to PHP running as nobody.
I'm working on development strategies for my server. I'm about to start a large company and need very specific access for employees. I have PHP running as "nobody" as far as whoami.
My goal is to have Linux users that are members of a group or groups; these kind of permissions will apply on public files, so the owner is the user, the group is any number of groups they belong to, and the file is world readable/executable.
However on sensitive files, want php to access but not other users except a few. The idea is to assign the owner of the file as a privileged persion, but the GROUP as nobody. and the file NOT world readable/executable.
This way, the privileged user and PHP alone can view or work with this file; noone else can.
The problem is, it's not working!! PHP can't access a file I've created. Here's the structure going down to this file...
1. folder: rbase set to rwxr-x---, the group=nobody and the user=rbase.
2. folder: rbase/systeam set to rwxr-x---, the group=nobody and the user=system (my SysAdmin Team)
3. file: rbase/systeam/config.php set to rwxr-x---, the group=nobody and the user=systeam.
I can log in as systeam and see this, but PHP cannot read this. Is it possible that the user "nobody" has not been assigned to the group "nobody"? And how can I tell?
The other issue is that if nobody isn't a member of group nobody, the chgrp manual says I can't do this while nobody has processes running (which he does). Do I need to shut down apache and PHP as well?
Thanks for your help, I really thought I had a handle on Linux permissions until I encountered this problem.
Compass Point Media
some questions about your reply
Thanks for your reply. I've heard someone else recommend PHP run as user php.
The reason I wanted to have the group be php and not the user is this:
Since these files are going to have NO rwx to the world, PHP has to get in as either the user or group of the file. If I have team members creating files, the file by default is going to be their default user and default group. (Unless they're in group php, which makes all of this useless anyway).
Either way, the creator of the file has to remember to cede either ownership of the file or group membership of the file to the user php, or am I missing something here? In other words, if they have ftp access as themselves, all files they create will have their user name and default group or am I wrong.
CAN YOU TELL ME HOW TO CHANGE THE USER PHP RUNS UNDER? OR IS THIS AN APACHE THING? I'M NEW TO THIS AREA SO DETAILED INSTRUCTIONS WOULD BE HELPFUL. These were your instructions and I couldn't understand:
What is the question mark? Could you explain this a bit more? Thanks!!
Checking how PHP runs is the easiest thing in the world. Just check the /proc/?/status file for the UID and GID fields. There are four values, the real ID, effect ID, save ID and filesystem ID, in that order. Just check so that it is what you want it to be.
I will definitely work on your suggestion of having multiple team members under SysTeam also.