[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] PHP & Security with CGIWrap

Subject: [cobalt-developers] PHP & Security with CGIWrap
From: "Jose Luis Aguilar" <jlaguilar@xxxxxxx>
Date: Thu Jun 8 09:29:44 2000

Cobalt Developers,

I will first make some comments and recommendations to Cobalt about PHP and
CGIwrap:

I know PHP is just experimental for Cobalt, but I think that Cobalt should
provide a more secure environment for running php scripts, just as they do
for CGI scripts. To make this as transparent to the end user as possible, I
believe CGIwrap can be the answer if a little code is included to handle
.php files in a special way.

Basically, adding #!/usr/local/bin/php to every php script and making them
executable is too much to ask to a regular end user. Cgiwrap could be
hacked, so that .php files are automatically run by the php interpreter (if
it is present in some specific location). This would make php scripts very
secure and very easy to install and manage.

I know Cobalt's CGIwrap is due for a check-up (bug-fixing release). How
about including this feature for the next cgiwrap realese? What do you all
think?

Now, what I'm trying to do without success:

I am trying to setup a secure environment for PHP using CGIwrap on a RAQ3. I
got PHP4 compiled as a regular program (not as an apache module) and I put
it in /usr/local/bin/php (outside of the web tree). Then I setup CGIWrap to
handle .php files as it does with .cgi and .pl. The downside of this is that
you have to put #!/usr/local/bin/php on every php file so that it can be
executed as a CGI script by the php interpreter.

I added this line to srm.conf and restarted the server:
+ AddHandler cgiwrap .php

Then I did a little test file (test.php) and made it executable.

-------------------------
#!/usr/local/bin/php

<? phpinfo(); ?>

-------------------------

When I call the script with the browser, cgiwrap doesn't find test.php, even
tough it is exactly where it says it is (/home/sites/site3/web/test.php). I
get the following error:

   Execution of (/home/sites/site3/web/test.php) is not permitted
   for the following reason:
	   Script file not found.

If I change the extension of the same file to .cgi intead of .php
(test.cgi). It runs fine, except for one line that always shows at the end
of the output:

   cgi_main.c(279) : Freeing 0x081CCC84 (21 bytes),
script=/home/sites/site3/web/test.cgi

I found out that this line goes away if you compile PHP without
the --enable-discard-path. I included this option because the PHP manual
says it should be there if you are going to run PHP as an interpreter
outside of the web tree (PHP Security Chapter).

My questions are:

1. Why doesn't cgiwrap find the test.php file and it does find test.cgi?
   (I added .php files to be handle by CGIwrap in apache's srm.conf).

2. Is --enable-discard-path really needed for security if your are going to
use PHP with CGIwrap? I don't see how somebody could invoke the interpreter
to access something it couldn't, if it is running under their user
privileges.


Jose Aguilar

Prev by Date: [cobalt-developers] qube2, PCI serial port
Next by Date: Re: [cobalt-developers] Simple Math Problem.
Previous by thread: [cobalt-developers] qube2, PCI serial port
Next by thread: [cobalt-developers] Security Expert Wanted!

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index