0

Is there any way to prevent a user from writing code to include a php file if they have access to the server? I can't use a .htaccess deny from all type solution because as I understand it that is only for remote access. I also can't use a solution like the ones described here link from Tyler Carter because I process all pages from one central call which includes the appropriate page parts. Thus, $_SERVER['PHP_SELF'] always returns the same file, and I can't get the FILE of the calling script in the called script. So neither of those work.

I simply want to prevent the parts I include in the central file not to themselves call other files on the server outside their own directory.

I hope I am missing something and that this can be accomplished with .htaccess?

I guess a bigger question is if this is even a worthwhile security endeavor?

Improve this question
3
  • if you don't trust someone with access to the server - why do they have access to the server? Commented Jul 23, 2015 at 0:42
  • You cant use filesystem permissions, doesn't each user have their own home folders ( CHROOT )? Sounds like you are worried about one user getting files from another user. If you have users executing php without you trusting them you have more to worry about the files, such as exec( ); commands and such. Commented Jul 23, 2015 at 0:47
  • I'm thinking more about security for cms systems where the admin will have acess to the server but the cms creator might not want files updated/ or included. Commented Jul 23, 2015 at 1:50

1 Answer 1

Reset to default
1

No.

If the user has the right to write files to your web-root, there is nothing you can do to prevent him/her from creating PHP files (short of writing your own FileSystem).

If you don't trust a user, they should not have the ability to write to your FS. This attack is actually quite commonly used in the real world against CMS installations. A user with file upload permissions uploads a PHP shell to take over the server.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Do you mean writing a filesystem on the server? or is there a way to write a filesystem in php?
It was a half-joking suggestion as the effort would be insane but: In theory you could write a filesystem (in FUSE or as a kernel driver) and mount that file system in the web root to enforce arbitrary access rules. Now, this is in theory and in practice you should just not give the user access.
As far as a modern cms is concerned there isn't a way around giving access to at least one admin, correct?
I guess you just have to trust the admin not to screw up their own system?
Yes. That's pretty much the definition of "admin" ;) If they screw with the system, then that's it for you.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.