4084
Comment:
|
4537
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= Using PHP = | = PHP Scripts = |
Line 3: | Line 3: |
The version of PHP installed on the webserver and lab machines is 5.2.3. Most common PHP libraries should already be installed. | The version of PHP installed on the webserver is 5.3.10. Most common PHP libraries should already be installed. |
Line 14: | Line 14: |
Note that if you download PHP scripts from the Internet, you are responsible for ensuring that the scripts really do what they say they will, do not misbehave and are secure. Bear in mind that by allowing these scripts to run as CGI scripts on our web servers, they will be invoked by untrusted users across the Internet, but will run with '''your user privileges''' on our web server, and hence have the same access to files in your home directory as you do! If you choose to use a well known piece of web software (eg a wiki or a content management system), it is quite likely that particular versions of such software will have vulnerabilities which hackers know how to exploit. It is '''your responsibility''' for keeping your web-based software up to date and (as far as possible) secure. If you get our webserver hacked because you have not kept your chosen software up to date, we will be extremely annoyed with you. |
Note that if you download PHP scripts from the Internet, you are responsible for ensuring that the scripts really do what they say they will, do not misbehave and are secure. Bear in mind that by allowing these scripts to run as CGI scripts on our web servers, they will be invoked by untrusted users across the Internet, but will run with '''your user privileges''' on our web server, and hence have the same access to files in your home directory as you do! |
Line 17: | Line 16: |
Below is an example of a basic PHP script that resides in the root of a users public home directory: | If you choose to use a well known piece of web software (eg a wiki or a content management system), it is quite likely that particular versions of such software will have vulnerabilities which hackers know how to exploit via web attacks. It is '''your responsibility''' for keeping your web-based software up to date and (as far as possible) secure. If you get our webserver hacked because you have not kept your chosen software up to date, we will be extremely annoyed with you. As Terry Pratchett so nearly says: '''Do not meddle with the affairs of systems programmers [wizards]. They're not all that subtle, and quick to anger.''' Our webservers (www.doc.ic.ac.uk and www-homes.doc.ic.ac.uk) currently run Ubuntu 12.04 (aka Precise). == An Example == Here is an example of a basic PHP script that resides in the root of a users public home directory: |
Line 20: | Line 28: |
$ pwd /homes/help/public_html |
$ cd ~/public_html |
Line 24: | Line 31: |
drwxr-xr-x 20 help csg 8192 Feb 1 14:10 ./ | drwxr-xr-x 20 fred csg 8192 Feb 1 14:10 ./ |
Line 27: | Line 34: |
-rwx------ 1 help csg 44 Feb 1 13:45 test.cgi | -rwx------ 1 fred csg 44 Feb 1 13:45 test.cgi |
Line 38: | Line 45: |
* The script is executable. To ensure a script is executable run {{{ chmod +x <filename> }}} | * The script has to be executable. To ensure a script is executable run {{{ chmod +x <filename> }}} |
Line 40: | Line 47: |
* The script is only writable by the owner of the file. If other users can write to the file then SuExec will refuse to execute it. The only exception are group project directories which can be group writable. To ensure that this is the case run {{{ chmod ga-w <filename> (chmod a-w <filename> for group directories}}} | * The script is only writable by the owner of the file. If other users can write to the file then Apache's suexec mechanism will refuse to execute it. To ensure that this is the case run {{{ chmod 755 <filename>}}} |
Line 42: | Line 49: |
* The file must be in "Unix format". If you created or edited the file on Windows run {{{ dos2unix <filename> }}} to convert it to "Unix format". | * The only exception are scripts in group project directories which can be group writable. To ensure that this is the case run {{{ chmod 775 <filename>}}} |
Line 44: | Line 51: |
* If you get an "Internal Server Error" with a script check the log in /vol/wwwhomeslogs/server-suexec_log | * The file must be in "Unix format" [Unix line endings, ie. each line ends in a newline character only]. Windows and MacOS line endings will not work. If you created or edited the file on Windows run {{{ dos2unix <filename> }}} to convert it to "Unix format". * If you get an "Internal Server Error" with a script check the log in /vol/wwwhomeslogs/suexec.log |
Line 50: | Line 59: |
* everything should be group readable, writable, and executable (if necessary). {{{ chmod g+rwx <filename> }}} | * everything should be group readable, writable, and executable (if necessary). {{{ chmod 775 <filename> }}} |
Line 52: | Line 61: |
* all new directories created should have chmod g+s done on them to cause newly created files and directories inside them to inherit the parent directory group (eg. g0436204B) rather than using the creating user's primary group (eg. jmc3). {{{ chmod g+s <directory> }}} | * all new directories created should have {{{chmod g+s}}} done on them to cause newly created files and directories inside them to inherit the parent directory group (eg. g1136204) rather than using the creating user's primary group (eg. jmc3). {{{ chmod g+s <directory> }}} |
PHP Scripts
The version of PHP installed on the webserver is 5.3.10. Most common PHP libraries should already be installed. If there is one you need that isn't installed and you can find it in the standard Ubuntu repositories let us know and we can install it for you.
We use Suexec and CGI for running PHP scripts rather than mod_php. This provides a more secure environment but means that downloaded PHP applications may not work out of the box, because most people designing PHP scripts assume that mod_php will be used. However, we view this as an excellent security precaution, as it means that you can't just download a PHP app and install it and let it run without having to think about how to make it run!
The most obvious consequence is that all PHP scripts must start with the line "#!/usr/bin/php" and be executable.
The most common problem users have with pre-written PHP software is that an existing tree of PHP source files will not have #!/usr/bin/php at the beginning of the scripts, and, worse still, PHP makes no distinction between a program (script invoked by a URL) - which needs #!/usr/bin/php adding - and a library (file which is included into another PHP file) - which does not need, and must not have, the #!/usr/bin/php line added. So, in this situation, you need to identify which individual PHP files are programs (scripts, accessed as URLs) and add the #!/usr/bin/php to just those files.
Note that if you download PHP scripts from the Internet, you are responsible for ensuring that the scripts really do what they say they will, do not misbehave and are secure. Bear in mind that by allowing these scripts to run as CGI scripts on our web servers, they will be invoked by untrusted users across the Internet, but will run with your user privileges on our web server, and hence have the same access to files in your home directory as you do!
If you choose to use a well known piece of web software (eg a wiki or a content management system), it is quite likely that particular versions of such software will have vulnerabilities which hackers know how to exploit via web attacks. It is your responsibility for keeping your web-based software up to date and (as far as possible) secure. If you get our webserver hacked because you have not kept your chosen software up to date, we will be extremely annoyed with you. As Terry Pratchett so nearly says:
Do not meddle with the affairs of systems programmers [wizards]. They're not all that subtle, and quick to anger.
Our webservers (www.doc.ic.ac.uk and www-homes.doc.ic.ac.uk) currently run Ubuntu 12.04 (aka Precise).
An Example
Here is an example of a basic PHP script that resides in the root of a users public home directory:
$ cd ~/public_html $ ls -lad /homes/help/public_html drwxr-xr-x 20 fred csg 8192 Feb 1 14:10 ./ $ ls -la test.cgi -rwx------ 1 fred csg 44 Feb 1 13:45 test.cgi $ cat test.cgi #!/usr/bin/php <?php echo "hello world"; ?>
Key points to note:
The script has to be executable. To ensure a script is executable run chmod +x <filename>
The script is only writable by the owner of the file. If other users can write to the file then Apache's suexec mechanism will refuse to execute it. To ensure that this is the case run chmod 755 <filename>
The only exception are scripts in group project directories which can be group writable. To ensure that this is the case run chmod 775 <filename>
The file must be in "Unix format" [Unix line endings, ie. each line ends in a newline character only]. Windows and MacOS line endings will not work. If you created or edited the file on Windows run dos2unix <filename> to convert it to "Unix format".
- If you get an "Internal Server Error" with a script check the log in /vol/wwwhomeslogs/suexec.log
Group project areas
A few things to note about permissions if you are running scripts from a group project areas (ie. somewhere in /vol/project/...).
everything should be group readable, writable, and executable (if necessary). chmod 775 <filename>
all new directories created should have chmod g+s done on them to cause newly created files and directories inside them to inherit the parent directory group (eg. g1136204) rather than using the creating user's primary group (eg. jmc3). chmod g+s <directory>