Browser reading files with root permission

Discussion in 'ISPConfig 3 Priority Support' started by MaxT, Mar 29, 2019.

  1. MaxT

    MaxT Active Member

    when I create a file ".user.ini" owned by root inside a /web folder, this file can be read by the browser. Even when this file has 0644 permissions.
    I create a file "test.php"
    Code:
    <?php 
    echo shell_exec('whoami');
    >
    
    and it returns "web10".

    Then, if the browser has the user web10, Why is there access to files owned by root, and with 0644 permissions?

    I can create one ".ini" files restriction inside htaccess to avoid access. Although I don't know if this is a behaviour of the php-fpm, or perhaps there is a permission problems to be fixed

    Sorry, I don't want to flood this subforum with too many questions. It is the first time I use php-fpm. My previous ISPC were always cgi with only one php, I'm not sure of the cause of some errors.
    Hope this wil be the last one!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You created a file on a Linux system and gave that file global read permissions, which means any user of the system can read it.

    Example:

    Code:
    root@server1:/tmp# touch test.txt
    root@server1:/tmp# chmod 644 test.txt
    root@server1:/tmp# ls -la test.txt
    -rw-r--r-- 1 root root 0 Mar 12 13:12 test.txt
    as you can see, 0644 translates to the permissions:

    The user root can read and write the file
    The group root can read the file
    Everyone else can read the file

    So any user of the system must be able to read the file when you set it to be readable by 'other'. If you want to make the file readable by the user and group only, you must use chmod 0640 and not 0644.
     
    MaxT likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    And as a side note, custom PHP settings should not be added into a .user.ini file, better add them in the custom php.ini field of the website, see options tab of the site.
     
    MaxT likes this.
  4. MaxT

    MaxT Active Member

    ... it is 0640, I need a break! I will use the option tabs, thanks so much.
     

Share This Page