0

I was trying to tighten up security on some things today and I broke a whole application when I changed the permissions on the PHP CLI scripts to 711 (execute only for group and everyone, on Debian Linux).

Part of the issue was that they were called as php script, which requires read permissions from my understanding. However, the main script does have a shebang, and calling the script directly failed if it was not readable, as Could not read input file. This seems to contradict this answer.

The main script includes/requires a lot of other scripts, and so I tried changing the main script to be 755 (read and execute). That script was able to start running, but failed immediately because it was not able to include any of the required files.

The only way to get it to work properly is 755 on every file, including all the files that contain database passwords and privileged secrets to access things that are only supposed to be accessible through the application (and while that alone may not be best practice, I don't believe an environment file would help, because a user would be able to read that, too).

It seems PHP will not run anything, directly or not, without read permission on files, which poses a big security problem here. Is there anyway to fix this, or is this not possible without compiling everything to binary somehow? Ideally, users could launch the program, and the program could do what it needs to, but the user should not be able to, say, cat the source code and read it. Seems like a catch-22 here...

InterLinked
  • 1,247
  • 2
  • 18
  • 50
  • 1
    `It seems PHP will not run anything, directly or not, without read permission on files` The interpreter can't run what it can't read. `However, the main script does have a shebang, and calling the script directly failed if it was not readable, as Could not read input file. This seems to contradict this answer.` It doesn't. – tkausl Jun 22 '21 at 22:26
  • @tkausl So there is no way you know of for it to work with just +x, it has to be r+x? – InterLinked Jun 22 '21 at 22:27
  • 1
    Well, for a user to be able to *execute* a file, the user must be able to *read* which instructions to execute... You wouldn't give someone the keys to your car but only allow them to drive with a blindfold on, would you? – rickdenhaan Jun 22 '21 at 22:27
  • 1
    @rickdenhaan That's not true for binary executables, but it's true for interpreted scripts. – Barmar Jun 22 '21 at 23:00
  • See https://unix.stackexchange.com/questions/34202/can-a-script-be-executable-but-not-readable – Barmar Jun 22 '21 at 23:02
  • The duplicate question is about bash scripts, but the issue is the same for any interpreted scripts. – Barmar Jun 22 '21 at 23:04
  • There is an answer linked from the question that @Barmar posted that provides a solution to the problem. https://unix.stackexchange.com/questions/16623/file-permission-execute-only/77538#77538 It may or may not be viable for your particular case. Needless to say, PHP (or any interpreted language not compiled to binary prior to execution) seems to be a poor fit for your application. – Rob Ruchte Jun 22 '21 at 23:10
  • @Barmar Thanks, I learned something today :-) – rickdenhaan Jun 23 '21 at 00:17

0 Answers0