should PHP ever run as root?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My company is leasing a server from Interland, which is a very large
web hosting company. I assume Interland knows how to set up a BSD
server with the usual add-ons, including PHP. But when I run
phpinfo(), I get information that makes it seem like PHP is running as
root. Isn't this a security problem?

This is some of the info I'm getting back from phpinfo():

Additional Modules


USER    root
HOME    /root
ORIG_HOME    /root
LOGNAME    root
TERM    vt100
PATH    /bin:/usr/bin
CALLER    root
CALLER_HOME    /root
SUPERCMD    apachectl_1.3.22_2.8.5
ORIG_USER    root

PHP Variables

HTTP_SERVER_VARS["argc"]    0
HTTP_ENV_VARS["HOME"]    /root
HTTP_ENV_VARS["TERM"]    vt100
HTTP_ENV_VARS["PATH"]    /bin:/usr/bin
HTTP_ENV_VARS["SUPERCMD"]    apachectl_1.3.22_2.8.5

Re: should PHP ever run as root?

lawrence wrote:

Quoted text here. Click to load it

That looks bad... Try creating a directory at the "/" level. If you can
do that, then you can do about anything....

Justin Koivisto -
PHP POSTERS: Please use comp.lang.php for PHP related questions,
              alt.php* groups are not recommended.

Re: should PHP ever run as root?

lawrence wrote:
Quoted text here. Click to load it

Welll, that looks really neat!
Just launch a script execing shutdown -h 0 and see what happens.
Houston, that is not good, I repeat not good

Without wanting to feed an urban myth, xs4all, among the bigger providers
here in the Netherlands also hardly seem to have a clue about a lot of what
even I call straightforward stuff.

Perhaps though this is a chrooted environment ? Not too familiar with all
its intricacies, but I guess it could be possible to make it seem like a
regular root ? But maybe I am babbling as well. I often am, they say ;-)

If this is truely a root environment I'd feel rather awkward, knowing the
userbase of these big players.

Good luck with that, and have a ball while you're at it! (and keep us

Re: should PHP ever run as root?

Quoted text here. Click to load it

I'll give that a try later today.

Quoted text here. Click to load it

What does chrooted mean?

By the way, I just had PHP create a directory and the owner of the
directory was listed as "nobody". What to conclude? Or, better, what
to test?

Re: should PHP ever run as root?

On 6 Aug 2004 11:40:49 -0700, (lawrence) wrote:

Quoted text here. Click to load it

It means the directory structure is made to appear that you're in one
place (like / ) when you're really in another ( like /usr/yourname >
and the directories like bin, etc and lib show up with only the
commands you can run.
Quoted text here. Click to load it

nobody is the userid assigned to the web server by default.  
gburnore@databasix dot com          
                  How you look depends on where you go.
Gary L. Burnore                       |  ۳ݳ޳ݳۺݳ޳ݳݳ޳ݳ۳
                                      |  ۳ݳ޳ݳۺݳ޳ݳݳ޳ݳ۳
DataBasix                             |  ۳ݳ޳ݳۺݳ޳ݳݳ޳ݳ۳
                                      |  ۳ 3 4 1 4 2  ݳ޳ 6 9 0 6 9 ۳
Black Helicopter Repair Svcs Division |     Official Proof of Purchase
      Want one?  GET one!

Site Timeline