Mailinglist Archive: opensuse (929 mails)

< Previous Next >
Re: [opensuse] public_html security

On 14-03-23 08:39 PM, Cristian Rodríguez wrote:
El 23/03/14 19:20, lynn escribió:
On Sun, 2014-03-23 at 18:47 -0300, Cristian Rodríguez wrote:
El 23/03/14 17:26, lynn escribió:
13.1
Hi
We've a php script which writes to the users public_html folders, so
wwwrun needs w. I used setfacl to grant the write. The alternative is to
stick it in the db. I'd prefer the former. Any problems with that?
Thanks



what kind of data is it and in what format is stored in the case of
using a database ?


e.g.
php:
shell_exec('sh h.sh');
$list= file_get_contents('s.txt');
echo nl2br($list);

h.sh:
#!/bin/bash
ls -l > s.txt

don't want to do:
...
$query = "INSERT INTO testing (results) VALUES('$list')";
...


Hoping that is not the actual code of the application.. place the writeable part in a subdirectory in public_html.. not in public_html itself.

Assuming this app can be modified, it is better to store data in a directory that is not accessible for the public.

ps: execution of programs using shell_exec or other functions in PHP apart from being crazy, slow and almost always insecure, unless extreme care is taken, will probably not work correctly in a number of scenarios when PHP is running an as apache module, it has been broken for a quite a while (aprox since 2009) and no one is going to fix it.

I strongly recommend you to use PHP FPM instead of the apache module.

Damn! You beat me to it. (Dinner was more important than an immediate response.) I was going to tell her about the insecurity of programs in that manner. More gently, though, than if she were my subordinate. The first time a subordinate suggests doing something like that, they'd be advised to think things through again, but after reading everything they can find on secure programming. The second time it is suggested would not be conducive to a long period working for/with me. Not being a PHP programmer myself, my recommendation is from the perspective of a Perl programmer. I know just barely enough PHP to be dangerous. ;-)

Mind you, I DO have a perl script or two that takes input from a user, sanitizes it (validation procedures mostly using regular expressions; but I do the same for anything that needs to be sent to a RDBMS), and then it constructs a PDF file to serve to the user. This, though, is a relatively recent development (as recent as my migration to Linux on some of my development machines), easy on Windows but not so easy on Linux (and I haven't figure out, yet, what I need to do on Linux to get that working properly even though it works flawlessly on Windows). And in my case, the web app user is NEVER a user that is defined for my host, but rather maintained in my RDBMS, in the schema used by my web app. Suggestions as to how to do this on Suse Linux, I assume differently from what I do on Windows, may be helpful to the OP, as one of my obvious needs is that whatever I do must not compromise security (and all access controls ought to be in the configuration file for Apache, rather than .htaccess).

What is PHP FPM, and, if I were to create a PHP CGI script, why would I use it (and would I write that code differently than what I ought to do using only PHP with the Apache module)?

Cheers,

Ted
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups