Security Basics mailing list archives
Re: Very basic security question:
From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Thu, 23 Jan 2003 12:31:51 -0700
On Tue, Jan 21, 2003 at 05:33:41AM +0000, Ing. Bernardo Lopez wrote:
How secure could be my webserver if i allow some php scripts to modify the file (directly) /etc/passwd & /etc/shadow but my script will only allow to modify the line of the loged user (like userid=visitor, then he only can see/modify visitor's line)?? It is secure, if i enforce very enougth the security of the script... or this stills being a stupid option? Also if i use that script only for modify the permisions of ftp's users it stills unsecure? (if the ftpd runs whit a very unpriviligiated uid?)
To modify the shadow password file, you would need to run the PHP program (in most cases the web server) as root. Which isn't secure (to put it mildly). Or you would need to allow the web server to have read and write access to the shadow file as its regular user, which isn't secure. Though shalt not let network services alter any critical files is the best approach. What is normally done by myself and others I have talked to is a PHP gateway server. You would write a daemon that your PHP code talks to via a Unix domain socket. The protocol you use to talk to your daemon would include a username and password (so the deamon can ensure it is talking to an authorized user). Any PHP script could talk to the daemon (most wouldn't know it exists), but because you have kept the deamon simple, and with a rigid unforgiving protocol the deamon will be much better - safe code wise - than your PHP script could ever hope to be. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) I should be biking right now. Computer Science
Current thread:
- Re: Internet Cafe, (continued)
- Re: Internet Cafe Igor D. Spivak (Jan 21)
- RE: Internet Cafe Stephen A. Santos (Jan 17)
- RE: Internet Cafe DeNoyer, Rick (Jan 17)
- RE: Internet Cafe Ogden, Earl (Jan 17)
- RE: Internet Cafe Paul Baugher (Jan 17)
- RE: Internet Cafe squid (Jan 19)
- RE: Internet Cafe Terry Peterson (Jan 19)
- RE: Internet Cafe Gunn, Jeff (Jan 21)
- Very basic security question: Ing. Bernardo Lopez (Jan 23)
- Re: Very basic security question: Diego Figueroa (Jan 24)
- Re: Very basic security question: Brad Arlt (Jan 24)
- Message not available
- Re: Very basic security question: Brad Arlt (Jan 27)
- Very basic security question: Ing. Bernardo Lopez (Jan 23)