php program can read /etc/passwd?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Today I found a problem, when I wrote a section of PHP code like this:

$fp = fopen("/etc/passwd","r");
    echo 'ok!';
    $result = fread($fp,
       return $result;
       echo $result;
      echo 'no!';

I found that it realy can read the passwd file! I'm not very familiar
with PHP, so I don't know is there any configuration options to limit
this behavior(in php.ini)? I think it isn't the apache problem, so it
do no favor to modify httpd.conf, is it?

I googled and get some infomation like 'open_basedir' parameter. But
my LAMP sites have many virtual host, every host blongs to different
user, his/her 'DocumentRoot' belongs to a system user like this:
ls /www/users -l
drwx--x--x  17 user_elnzpjps ftpd 4096 Mar 13 16:42
So I think it is not a good idea to make open_basedir to be 'www/
users', because it's a problem when one user can read the files of

So, what is the resolution?

Thank you.

Re: php program can read /etc/passwd?

Rocky Zhou schrieb:
Quoted text here. Click to load it
You can define a different open_basedir for every VirtualHost.
DocumentRoot /var/www/domain/
User user
Group group
php_admin_value open_basedir /var/www/domain/

Re: php program can read /etc/passwd?

Thank you. It works.

On 3月21日, 下午8时40分, Mike Roetgers <miker...@in>
Quoted text here. Click to load it

Re: php program can read /etc/passwd?

Rocky Zhou wrote:

Quoted text here. Click to load it

Yep, it is normal that /etc/passwd is globally readable on Linux/UNIX
systems. If it could not be read by all processes, they'd be unable to map
between numeric UIDs and usernames -- this would negatively effect common
utilities like "ps" and "ls".

This might *sound* like a security problem, but traditionally passwords in
/etc/passwd are stored in an encrypted format using the "crypt" algorithm.
Whatsmore, most modern distributions no longer keep passwords in
/etc/passwd, but keep it in /etc/shadow instead, which has tighter
security -- /etc/passwd just holds less sensitive information, such as
usernames, UIDs, default group, home directory path, default shell and
so on.

Toby A Inkster BSc (Hons) ARCS
Contact Me ~
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

Site Timeline