Hi.
We are facing a problem with an old PHP application.

The application browse the local server directory in order to show to
the
client browser file info and data.

When we remove all the grants from "others", from any of the
directoryes or the
tree involved, or the files themself, the progam pop up with the
error:

------
Warning: opendir(/appl/apt000/pt0/include/p/): failed to open dir:
Permission denied in /appl/estion/AE/web/html/sources/filed/
gestioneOggetti.php on line 337
------


The PHP script line involved is
$hd=opendir($dir);
with $dir="/appl/apt000/pt0/include/p/"

This is the directory list where no "others" permissions are granted:

[aspt000 [at] svuni330:/appl/apt000/pt0/include]#> ls -al p
drwxrwx--- 2 aspt000 aspt000 4096 Apr 19 12:52 p

If the directory gets backs the grants for "others"

[aspt000 [at] svuni330:/appl/apt000/pt0/include]#> ls -al p
drwxrwxrwx 2 aspt000 aspt000 4096 Apr 19 12:52 p

evrything goes fine.

The user runnig the web server is in the same group (aspt000) (but is
not the
owner) of any of the dirs/files involved.

If we run a simple PHP script

We are using
- AIX 3.5
- PHP Version 4.3.8
- PHP API 20020918
- PHP Extension 20020429
- Zend Extension 20021010
- Thread Safety disabled
- Apache/1.3.33 (Unix) mod_ssl/2.8.24 OpenSSL/0.9.8d PHP/4.3.8
- Apache Release 10333100
- Apache API Version 19990320

We want to tighten the security on the machine so we have to remove
the "others"
grants, but in other hand we don't want to face a PHP upgrade to a
newer version.

Any suggestions ?

Thanks.

Alex Lirus wrote:
> Hi.
> We are facing a problem with an old PHP application.
>
> The application browse the local server directory in order to show to
> the
> client browser file info and data.
>
> When we remove all the grants from "others", from any of the
> directoryes or the
> tree involved, or the files themself, the progam pop up with the
> error:
>
> ------
> Warning: opendir(/appl/apt000/pt0/include/p/): failed to open dir:
> Permission denied in /appl/estion/AE/web/html/sources/filed/
> gestioneOggetti.php on line 337
> ------

You can suppress the error messages with putting [at] in front of opendir

$hd [at] opendir($dir);


> The user runnig the web server is in the same group (aspt000) (but is
> not the owner) of any of the dirs/files involved.

if the webserver is in the group that is the group owner of the file, then
there shouldn't be any trouble for it to access the file, at least as long as
it's the servers main group.



> We want to tighten the security on the machine so we have to remove
> the "others"
> grants, but in other hand we don't want to face a PHP upgrade to a
> newer version.

If the user has to authenticate itself before starting to browse, then it
would be the users ownership that affects the access to files, and you would
get more "power" in limiting file access.


--

//Aho

On 22 Jun, 09:27, Alex Lirus <magr... [at] hotmail.com> wrote:
>
> When we remove all the grants from "others", from any of the
> directoryes or the
> tree involved, or the files themself, the progam pop up with the
> error:
>
<snip>
> This is the directory list where no "others" permissions are granted:
>
> [aspt000 [at] svuni330:/appl/apt000/pt0/include]#> ls -al p
> drwxrwx--- 2 aspt000 aspt000 4096 Apr 19 12:52 p
>
> If the directory gets backs the grants for "others"
>
> [aspt000 [at] svuni330:/appl/apt000/pt0/include]#> ls -al p
> drwxrwxrwx 2 aspt000 aspt000 4096 Apr 19 12:52 p
>

This is not a question about PHP, but a very simple question about
computer security (to say its about Unix permissions would be an
exageration).

The solution is to have a coherent and appropriate security model -
then apply it.

Try googling for 'The Rute' (use a mirror) and learn about permissions
(the doc is written for Linux, but most of it applies to AIX too).

In the meantime:

> [aspt000 [at] svuni330:/appl/apt000/pt0/include]#> ls -al p
> drwxrwxrwx 2 aspt000 aspt000 4096 Apr 19 12:52 p

is probably not what you want

drwxrwxr-x 2 aspt000 aspt000 4096 Apr 19 12:52 p

would be much safer. A better solution would be to have a group which
your webserver uid and the current members of aspt000 belong to (say
waspt000) and...

drwxrwS--- 2 aspt000 waspt000

C.

Alex Lirus wrote:
> Hi.
> We are facing a problem with an old PHP application.
>
> The application browse the local server directory in order to show to
> the
> client browser file info and data.
>
> When we remove all the grants from "others", from any of the
> directoryes or the
> tree involved, or the files themself, the progam pop up with the
> error:
>
> ------
> Warning: opendir(/appl/apt000/pt0/include/p/): failed to open dir:
> Permission denied in /appl/estion/AE/web/html/sources/filed/
> gestioneOggetti.php on line 337
> ------

You can suppress the error messages with putting [at] in front of opendir

$hd [at] opendir($dir);


> The user runnig the web server is in the same group (aspt000) (but is
> not the owner) of any of the dirs/files involved.

if the webserver is in the group that is the group owner of the file, then
there shouldn't be any trouble for it to access the file, at least as long as
it's the servers main group.



> We want to tighten the security on the machine so we have to remove
> the "others"
> grants, but in other hand we don't want to face a PHP upgrade to a
> newer version.

If the user has to authenticate itself before starting to browse, then it
would be the users ownership that affects the access to files, and you would
get more "power" in limiting file access.


--

//Aho

On 22 Jun, 09:27, Alex Lirus <magr... [at] hotmail.com> wrote:
>
> When we remove all the grants from "others", from any of the
> directoryes or the
> tree involved, or the files themself, the progam pop up with the
> error:
>
<snip>
> This is the directory list where no "others" permissions are granted:
>
> [aspt000 [at] svuni330:/appl/apt000/pt0/include]#> ls -al p
> drwxrwx--- 2 aspt000 aspt000 4096 Apr 19 12:52 p
>
> If the directory gets backs the grants for "others"
>
> [aspt000 [at] svuni330:/appl/apt000/pt0/include]#> ls -al p
> drwxrwxrwx 2 aspt000 aspt000 4096 Apr 19 12:52 p
>

This is not a question about PHP, but a very simple question about
computer security (to say its about Unix permissions would be an
exageration).

The solution is to have a coherent and appropriate security model -
then apply it.

Try googling for 'The Rute' (use a mirror) and learn about permissions
(the doc is written for Linux, but most of it applies to AIX too).

In the meantime:

> [aspt000 [at] svuni330:/appl/apt000/pt0/include]#> ls -al p
> drwxrwxrwx 2 aspt000 aspt000 4096 Apr 19 12:52 p

is probably not what you want

drwxrwxr-x 2 aspt000 aspt000 4096 Apr 19 12:52 p

would be much safer. A better solution would be to have a group which
your webserver uid and the current members of aspt000 belong to (say
waspt000) and...

drwxrwS--- 2 aspt000 waspt000

C.