Php – Dev background, safe to have php files owned by root but Apache different user

apache-2.2fedoraPHP

I'm from a programming background and been thrown into managing a Linux server at work because of an emergency with our reg sys admin. Is it reliable or safe to have our PHP files owned by root yet Apache obviously running on Fedora 8 as apache?

Apache is given rights to read and in minor cases like the uploads directory, write privileges by chmod 777 for that uploads folder.

We are running mod_security but wondered if there was some better practice. I'm alone on this for the next 2-3 weeks while the sys admin is recuperating.

Best Answer

What group owns the PHP files? Your mention of 777 suggests that it's the 'wheel' or 'adm' or some other privileged group, so that the only way Apache can see any file is when that file is world-readable. Or world-writable, in the case of the uploads folder.

That's almost certainly not a good thing -- although the severity would depend on what all you're running on the server (both web-based and otherwise), whether any of the PHP scripts contain plaintext credentials, etc.

If, on the other hand, the files are owned by the gid that Apache runs under, then you're in somewhat better shape. You could in theory do a chmod -R o-rwx on DocumentRoot to remove all "world" privileges, and everything would most likely be nice and safe and your web pages would still work.

But then there's the question of setuid bits. I'm not sure off the top of my head whether a root-owned PHP script with setuid turned on could, in practice, be exploited for malicious purposes, but I wouldn't want one on my web server.

And even if setuid is not a concern, the root-ownership still doesn't smell right to me.

Related Solutions

Linux – Remove files with PHP owned by different user

When I have to things from PHP that require root privileges on a system that has mod_php I usually write a small helper script to actually do the task. Then I use system() or proc_open() to call the script via sudo. You will need to configure your apache user account to be able to run that particular script with no password.

If the system has the cli version of php installed then you can write your helper script in PHP since it sounds like that is familiar to you.

/etc/sudoers looks like this:

Cmnd_Alias PHPHELPER=/path/helper-script 
www-data ALL=NOPASSWD: PHPHELPER

The advantage of doing this is that you can write a very tight and specific helper script that only performs one task, and you can add lots of good error checking to prevent badness. This minimizes the potential for a system compromise.

Php – How to run PHP files as another user with Apache and FastCGI

IMHO the (more recent and) best way to run PHP FastCGI is using PHP-FPM, which among the many options also permits to use different users for different websites.

From the official website:

Ability to start workers with different uid/gid/chroot/environment and different php.ini (replaces safe_mode)

But using FastCGI by itself is not enough to use the owner of the file (and there's no such thing as "automatically using the owner of the file": you have to actually configure it virtual host by virtual host (or as you wish).

Best Answer

Related Solutions

Linux – Remove files with PHP owned by different user

Php – How to run PHP files as another user with Apache and FastCGI

Related Topic