本文介绍了phpsuexec的安全性的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

一个特定的网络托管公司决定在他们的网络服务器的所有

上安装phpsuexec,理由是出于安全考虑。我的问题是......

它真的更安全吗?

如果没有phpsuexec,如果PHP脚本要创建新文件,那么公开
需要在特定目录上启用
写入权限,因为

PHP以用户''nobody''运行。


但是使用phpsuexec, ,那不是必需的。 phpsuexec作为

root用户运行。


问题是......如果PHP存在漏洞会发生什么?

脚本?如果某人有这样的PHP脚本会发生什么?:


<?php

eval($ _ GET [''cmd'']);

?>


如果没有phpsuexec,攻击者唯一能做的就是

操纵*做*公开的文件写权限。然而,使用

phpsuexec,攻击者可以做任何他想要的任何文件。


基本上,phpsuexec在我看来,如果你假设PHP应用程序根本不包含

漏洞,那么我认为这只是一个很好的方法来获得
安全性。这是一个愚蠢的假设。这就像是相信

只是因为你运行Windows XP SP3并且安装了每次更新

,你不需要防火墙。


也许我错过了什么?或者,phpsuexec只是,平坦,一个糟糕的想法?

解决方案





实际上,IIRC,phpsuexec像你一样运行脚本,而不是root用户。

如果他们将它设置为以root身份运行,则他们没有正确配置




-

==================

删除x来自我的电子邮件地址

Jerry Stuckle

JDS计算机培训公司


==================


A particular web hosting company decided to install phpsuexec on all
their webservers, citing security considerations. My question is...
is it really more secure?

Without phpsuexec, if a PHP script is to create new files, public
write permission needs to be enabled on the particular directory since
PHP is ran as user ''nobody''.

With phpsuexec, however, that''s not needed. phpsuexec runs as the
root user.

The problem is... what happens if there''s a vulnerability in a PHP
script? What happens if someone has a PHP script like this?:

<?php
eval($_GET[''cmd'']);
?>

Without phpsuexec, the only thing an attacker could do is to
manipulate files that *do* have public write permission. With
phpsuexec, however, an attacker can do whatever he wants to to pretty
much any file.

Basically, phpsuexec seems to me to only be a good approach to
security if you assume that PHP applications simply do not contain
vulnerabilities. Which is a dumb assumption. That''s like believing
that just because you''re running Windows XP SP3 with every update
installed that you don''t need a Firewall.

Maybe I''m missing something? Or is phpsuexec just, flat out, a bad
idea?

解决方案



Actually, IIRC, phpsuexec runs the scripts as you, not as the root user.
If they have it set up to run as root, they haven''t configured it
properly.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================


这篇关于phpsuexec的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-12 10:03