在 PHP/Apache/Linux 上下文中，为什么 chmod 777 是危险的? [英] In a PHP / Apache / Linux context, why exactly is chmod 777 dangerous?

问题描述

受到this问题，一个可能很愚蠢的问题.

Inspired by the discussion in this question, a maybe stupid question.

我们都被告知，在基于 Linux 的虚拟主机上以 777 的权限级别保留目录或文件是一件坏事，并且总是根据需要设置尽可能少的权限.

We have all been taught that leaving directories or files on Linux-based web hosting with the permission level of 777 is a bad thing, and to set always as little permissions as necessary.

我现在很好奇究竟在哪里存在被利用的危险，特别是在 PHP/Apache 上下文中.

I am now curious as to where exactly lies the danger of exploitation, specifically in a PHP / Apache context.

毕竟，无论是否标记为可执行"，PHP 脚本文件都可以从外部执行(即通过调用 Web 服务器，然后调用解释器)，不是吗?这同样适用于通过命令行 php 解释器调用的文件，对吗?

After all, a PHP script file can be executed from the outside (i.e. through a call to the web server, and subsequently to the interpreter) no matter whether it is marked as "executable", can't it? And the same applies to files called through the command-line php interpreter, right?

那么777的漏洞究竟在哪里?同一台机器上的其他用户是否可以访问世界可写的文件?

So where exactly is the vulnerability with 777? Is it the fact that other users on the same machine can access files that are made world writable?

推荐答案

这是一个场景:

1. 您有一个不受保护的目录，用户可以将其上传到其中.
2. 他们上传了两个文件:一个 shell 脚本和一个 php 文件，其中包含一个 system() 调用到 shell 脚本.
3. 他们通过访问浏览器中的 url 来访问刚刚上传的 php 脚本，从而导致 shell 脚本执行.

1. You have an unprotected directory that users can upload to.
2. They upload two files: a shell script, and a php file that has a system() call in it to the shell script.
3. they access the php script they just uploaded by visiting the url in their browser, causing the shell script to execute.

如果这个目录是 777，那意味着任何人(包括用户 apache，这是 php 脚本将执行的)都可以执行它！如果该目录和目录中的文件没有设置执行位，那么上面的第 3 步将什么都不做.

If this directory is 777, that means that anybody (including the user apache, which is what php script will execute as) can execute it! If the execute bit is not set on that directory and presumably the files inside the directory, then step 3 above would do nothing.

从评论中重要的不是 PHP 文件的权限，而是 PHP 文件中的 system() 调用，它将作为 linux 系统调用由 linux 用户 apache(或无论您将 apache 设置为运行什么)，这正是执行位很重要的地方.

edit from the comments: it's not the PHP file's permissions that matter, it's the system() call inside the PHP file that will be executed as a linux system call by the linux user apache (or whatever you have apache set to run as), and that is PRECISELY where the execution bit matters.

这篇关于在 PHP/Apache/Linux 上下文中，为什么 chmod 777 是危险的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！