suPHP有什么安全性吗? [英] Is there any security with suPHP?
问题描述
不久前我问了这个问题,即使我提出了几个悬赏计划,我也没有得到太多的答案(请参阅
I asked this question a while back and even though I put up several bounties, I never got much of an answer (see here). More generally, I want to know if there is any concept of security with suPHP? What's to stop anyone from going to
www.example.com/rm-f-r.php
或
www.example.com/return_some_iamge.php
由于这些脚本是使用用户权限执行的,因此基本上可以保证访问权限.
Because those scripts get executed with the privileges of the user, it's essentially guaranteed acesss.
编辑要详细说明上述问题,我的问题是一个概念性问题.假设我们在/home/user/test.php处有一个文件.让此文件执行任何操作(rm -f -r /,获取并返回图片,重新启动计算机...)如果我将浏览器指向该文件(假设包含文件夹是Apache下启用的站点),如何告诉浏览器执行以下操作:只让该文件的所有者执行它?
EDIT To elaborate on the above, my problem is a conceptual one. Assume we have a file at /home/user/test.php. Let this file do anything (rm -f -r /, fetch and return a picture, reboot the computer...) If I point my browser to that file (assuming the containing folder is an enabled site under Apache) how do I tell the browser to only let the owner of that file execute it?
我从未明确指出这一点,因为我假设suPHP仅用于apache(即Web浏览器),但是我在谈论的是仅使用浏览器对linux用户进行身份验证.如果我们不进行身份验证,那么从技术上讲,任何人都可以访问服务器上的任何脚本(对于网站,这不是问题,因为他们始终将权限设置为0644,因此基本上整个世界都可以看到.手,通常将权限设置为0700)
EDIT 2: I never explicitly stated this as I assumed suPHP is only used with apache (ie. web browsers), but I am talking about authenticating linux users with only a browser. If we do not authenticate, then anyone technically has access to any script on the server (with web sites this is not a problem as they always have permissions set to 0644, so essentially the whole world can see. PHP files on the other hand, have permissions generally set to 0700)
推荐答案
suPHP的效果是,PHP运行时在编写.php文件的用户的许可下执行.这意味着PHP程序作者只能读写自己拥有或有权访问的文件.
suPHP has the effect that the PHP runtime executes with the permission of the user that authored the .php file. This means that a PHP program author can only read and write files that he himself owns, or otherwise has access to.
如果您将PHP文件放在您的网站上,则表示该文件可以由网站上的任何人公开运行-使用suPHP不会更改此文件.如果不登录到您的站点,则所有Web用户实际上都是匿名的,无法可靠地识别个人. suPHP仅控制脚本执行时具有的本地权限,无意引入任何形式的Web用户身份验证或授权.
If you put a PHP file on your website you are making it publicly runnable by anyone that comes along to your website - using suPHP does not change this. Without logging in to your site, all web users are effectively anonymous and there is no way to reliably identify an individual. suPHP only controls the local permissions the script will have when it is executed, it does not intend to introduce any form of web user authentication or authorisation.
如果您希望控制哪些用户可以实际运行脚本,则需要实现一些登录功能并强制用户登录到您的站点.然后,如果当前登录的Web用户不是您希望执行该脚本的人,则对敏感的PHP脚本(或Apache配置)添加一项检查,使该请求中止请求.
If you wish to control which users can actually run a script, you need to implement some login functionality and force the users to log in to your site. Then add a check to the sensitive PHP script (or Apache configuration) which will make it abort the request, if the current logged in web user is not one you wish to execute that script.
这篇关于suPHP有什么安全性吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
