2

We have a web server running Lighttpd on FreeBSD.

Some of our clients demand FTP access to their server. With most of them, chrooting them with the FTP daemon into a "files" directory so they can upload pictures of their kids or whatnot suffices, and then we just have Lighty configured to not fire up FastCGI if a request is made for a file in that directory. But at least one client needs access to their whole webroot. Okay, so I set up the FTP daemon to umask 022 all uploaded files (so the permissions become rw-r--r--) and thought I was very clever.

However, it has come to my attention (thankfully not the hard way) that PHP scripts are executable on the server if the file merely has the relevant read bit set; the execute bit (or lack thereof) is ignored. What's up with that? I assumed the execute bit would have to be set in order for the file to be, you know, executed…

Is there simply a way to stop Lighty and/or PHP from executing scripts without execute bits? (I've already tried #lighttpd on Freenode, but they didn't seem to think it was possible.)

Garrett Albright
  • 151
  • 1
  • 8

2 Answers2

1

The execute bit has nothing to do with the HTTP server. CGI scripts need it because the HTTP server uses exec(3) (and friends) to execute them. PHP scripts on the other hand are read and executed because the configuration of the web server allows them to.

  • So your quick choice is to remove the read bit from the PHP scripts that you want the HTTP server not execute.

  • Read the configuration manual of your web server and find out whether you can have it selectively (per directory) execute PHP scripts (I do run lighttpd and do not know whether it is possible or not).

adamo
  • 6,925
  • 3
  • 30
  • 58
  • Removing the read bit isn't an option, since we do want files folks upload to be *served* (as opposed to *executed)* by the server. (One guy likes to upload lots of pictures he uses in eBay auctions.) It *is* possible to disable PHP execution scripts per directory, as I mentioned in the OP. Post a question tagged with "lighttpd" if you'd like me to tell you how it can be done. – Garrett Albright Nov 11 '09 at 23:50
  • Like I told you: The execute bit has to do with the exec(3) family of system calls which the web server uses to execute CGI scripts. I highly doubt that you allow PHP scripts to run as CGI (although it is possible). So the execute bit has nothing to do with your problem. Since you want certain PHP scripts not to be executed by the web server, the correct terminology here is interpreted. When you ask from a browser a page that is a PHP script, the server reads it, understands that it is PHP, interprets it and then sends you the HTML output. Remove the read bit from such a file and you are OK. – adamo Nov 12 '09 at 06:18
  • The FTP daemon itself is configured to set permissions on uploaded files. I really have better things to do than to monitor what files clients are uploading and manually turn off read bits for any that might be scripts… And I can't set the daemon to turn off read bits on files, because allowing them to upload files which can then be served by the server is the entire point. Hopefully that clarifies my approach here… And we're using FastCGI to link the PHP interpreter and Lighty. – Garrett Albright Nov 12 '09 at 16:20
  • http://redmine.lighttpd.net/wiki/1/TutorialLighttpdAndPHP It has a small per-directory configuration section. It may help (The fact that you run PHP over FastCGI really clarified the situation) – adamo Nov 12 '09 at 22:33
1

IIRC if you run PHP through CGI+PHPsuExec/suphp (or FastCGI+suExec/suphp) it is very fussy about permissions (and ownership) by default, though I'm not sure how much of this is due to PHP or PHPsuExec/suphp - this is why some (including my own shared web server) run this way rather than through the Apache module. It requires scripts to have the execute-for-user bit set and will not run if either of the group-write or other-write bits are set with similar checks for the directories the script is located in.

I'm running through Apache on the machines I use PHP on though, so I couldn't tell you how to configure this under lighttpd.

David Spillett
  • 22,754
  • 45
  • 67
  • This looks promising, but it would require installing Apache just to get one of the cousin binaries that comes along with it…? We're running on an inexpensive VPS, so I do have to be somewhat mindful of what I've got taking up space on there. – Garrett Albright Nov 12 '09 at 16:22
  • You can probably get lighttpd and php running the same way without an Apache install. Though I'm not the person to tell you how to do that, unfortunately. – David Spillett Nov 12 '09 at 16:26
  • php can run as standard CGI, so you should be able to configure lightttpd to do this. – binki Jul 17 '16 at 19:23