should PHP ever run as root?

Re: should PHP ever run as root?

lawrence wrote:
[color=blue]
> My company is leasing a server from Interland, which is a very large
> web hosting company. I assume Interland knows how to set up a BSD
> server with the usual add-ons, including PHP. But when I run
> phpinfo(), I get information that makes it seem like PHP is running as
> root. Isn't this a security problem?[/color]

That looks bad... Try creating a directory at the "/" level. If you can
do that, then you can do about anything....

--
Justin Koivisto - spam@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.

Re: should PHP ever run as root?

lawrence wrote:[color=blue]
> My company is leasing a server from Interland, which is a very large
> web hosting company. I assume Interland knows how to set up a BSD
> server with the usual add-ons, including PHP. But when I run
> phpinfo(), I get information that makes it seem like PHP is running as
> root. Isn't this a security problem?
>
> This is some of the info I'm getting back from phpinfo():
>
>
>
> Additional Modules
>
> Environment
>
>
> USER root
> HOME /root
> ORIG_HOME /root
> LOGNAME root
> TERM vt100
> PATH /bin:/usr/bin
> CALLER root
> CALLER_HOME /root
> SUPERCMD apachectl_1.3.2 2_2.8.5
> IFS
> ORIG_USER root
> ORIG_LOGNAME root
>
>
>
>
>
> PHP Variables
>
> HTTP_SERVER_VAR S["argc"] 0
> HTTP_ENV_VARS["USER"] root
> HTTP_ENV_VARS["HOME"] /root
> HTTP_ENV_VARS["ORIG_HOME"] /root
> HTTP_ENV_VARS["LOGNAME"] root
> HTTP_ENV_VARS["TERM"] vt100
> HTTP_ENV_VARS["PATH"] /bin:/usr/bin
> HTTP_ENV_VARS["CALLER"] root
> HTTP_ENV_VARS["CALLER_HOM E"] /root
> HTTP_ENV_VARS["SUPERCMD"] apachectl_1.3.2 2_2.8.5
> HTTP_ENV_VARS["IFS"]
>
> HTTP_ENV_VARS["ORIG_USER"] root
> HTTP_ENV_VARS["ORIG_LOGNA ME"] root[/color]

Welll, that looks really neat!
Just launch a script execing shutdown -h 0 and see what happens.
Houston, that is not good, I repeat not good

Without wanting to feed an urban myth, xs4all, among the bigger providers
here in the Netherlands also hardly seem to have a clue about a lot of what
even I call straightforward stuff.

Perhaps though this is a chrooted environment ? Not too familiar with all
its intricacies, but I guess it could be possible to make it seem like a
regular root ? But maybe I am babbling as well. I often am, they say ;-)

If this is truely a root environment I'd feel rather awkward, knowing the
userbase of these big players.

Good luck with that, and have a ball while you're at it! (and keep us
posted!)
Pjotr

Re: should PHP ever run as root?

"Pjotr Wedersteers" <x33159@westert erp.com> wrote in message news:<41128c8d$ 0$34762$e4fe514 c@news.xs4all.n l>...[color=blue]
> lawrence wrote:[color=green]
> > My company is leasing a server from Interland, which is a very large
> > web hosting company. I assume Interland knows how to set up a BSD
> > server with the usual add-ons, including PHP. But when I run
> > phpinfo(), I get information that makes it seem like PHP is running as
> > root. Isn't this a security problem?[/color][/color]
....[color=blue]
> Welll, that looks really neat!
> Just launch a script execing shutdown -h 0 and see what happens.
> Houston, that is not good, I repeat not good[/color]

I'll give that a try later today.
[color=blue]
> Perhaps though this is a chrooted environment ? Not too familiar with all
> its intricacies, but I guess it could be possible to make it seem like a
> regular root ? But maybe I am babbling as well. I often am, they say ;-)[/color]

What does chrooted mean?

By the way, I just had PHP create a directory and the owner of the
directory was listed as "nobody". What to conclude? Or, better, what
to test?

Re: should PHP ever run as root?

On 6 Aug 2004 11:40:49 -0700, lkrubner@geocit ies.com (lawrence) wrote:
[color=blue]
>"Pjotr Wedersteers" <x33159@westert erp.com> wrote in message news:<41128c8d$ 0$34762$e4fe514 c@news.xs4all.n l>...[color=green]
>> lawrence wrote:[color=darkred]
>> > My company is leasing a server from Interland, which is a very large
>> > web hosting company. I assume Interland knows how to set up a BSD
>> > server with the usual add-ons, including PHP. But when I run
>> > phpinfo(), I get information that makes it seem like PHP is running as
>> > root. Isn't this a security problem?[/color][/color]
>...[color=green]
>> Welll, that looks really neat!
>> Just launch a script execing shutdown -h 0 and see what happens.
>> Houston, that is not good, I repeat not good[/color]
>
>I'll give that a try later today.
>[color=green]
>> Perhaps though this is a chrooted environment ? Not too familiar with all
>> its intricacies, but I guess it could be possible to make it seem like a
>> regular root ? But maybe I am babbling as well. I often am, they say ;-)[/color]
>
>What does chrooted mean?[/color]

It means the directory structure is made to appear that you're in one
place (like / ) when you're really in another ( like /usr/yourname >
and the directories like bin, etc and lib show up with only the
commands you can run.[color=blue]
>
>By the way, I just had PHP create a directory and the owner of the
>directory was listed as "nobody". What to conclude? Or, better, what
>to test?[/color]

nobody is the userid assigned to the web server by default.
--
gburnore@databa six dot com
---------------------------------------------------------------------------
How you look depends on where you go.
---------------------------------------------------------------------------
Gary L. Burnore | ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
| ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
DataBasix | ÝÛ³ºÝ³Þ³ºÝ³³ÝÛº ݳ޳ºÝ³Ý³Þ³ºÝ³Ý ÝÛ³
| ÝÛ³ 3 4 1 4 2 ݳ޳ 6 9 0 6 9 ÝÛ³
Black Helicopter Repair Svcs Division | Official Proof of Purchase
=============== =============== =============== =============== ===============
Want one? GET one! http://signup.databasix.com
=============== =============== =============== =============== ===============