how to restrict PHP script with file system access?

I have a PHP script, which MAY try to access files in the directories that have sensitive data. I want to restrict such operations.

I want to allow this script to access files/directories only in the directory I'm specifying. Is it 开发者_高级运维possible to do? Thanks.

Disclaimer: If you don't control the way PHP is set up on the server, this answer is useless.

We really need more information about your PHP setup, such as which web server it's using and which SAPI mode. You can find out which SAPI module is being used by running echophp_sapi_name()

However, if I were to assume it's Apache 2.2 with mod_php:

The Apache module version of PHP runs as the webserver's user and group. There's a second Apache module named suPHP that wraps the PHP CGI version to make it run as the script's owner and group (and avoids having to manually set up Apache's suEXEC for PHP).

Other than that, changing the permissions on the filesystem so that the user doesn't have read access to the sensitive directory and its files should be good enough.

Yes, simply write the script so that it only accesses files in your safe directories. Do not (ever) access a file from an unchecked path in user input. Either check the path against a list of acceptable paths and/or filenames, or include the path in the code that will access the file so that only file names are passed to the access code.

These functions will help: pathinfo() , dirname() , basename()

Something like this should work:

function isBelowAllowedPath($file, $allowedPath)
{
    return ( strpos( realpath($file), $allowedPath) === 0 );
}

isBelowAllowedPath('/etc/passwd', '/var/www/pub/'); // false
isBelowAllowedPath('/var/www/pub/index.htm', '/var/www/pub/'); // true

or if you want to make sure $file is there as well

function isBelowAllowedPath($file, $allowedPath)
{
    return file_exists( $allowedPath . basename(realpath($file)) );
}

isBelowAllowedPath('/../../../../etc/passwd', '/var/www/pub/'); // false
isBelowAllowedPath('index.htm', '/var/www/pub/'); // true

or if you want $file to be in a specific list of $allowedPaths (not below a path)

function isInAllowedPath($file, array $allowedPath)
{
    $fileDir = realpath(dirname($file));
    return (in_array($fileDir, $allowedPath));
}

$allowed = array('/var/www/pub/', 'somewhere/else');
isInAllowedPath('/var/www/pub/foo/index.htm', $allowed); // false
isInAllowedPath('/var/www/pub/index.htm', $allowed); // true

You would have to configure the directories' rights so that the user PHP runs as can't access them.

To do that on a Linux/Unix system, you would need the right to change the owner of the directories (chown) and to change its rights (chmod) and probably command line access. It really depends on how your server is configured, who owns the files, and who PHP runs as.

To find out the user ID of PHP's user on a Linux system use posix_getuid().

I can think of no other way to protect files from PHP-side access except removing access to certain functions via disable_functions. That, though, may (and probably will) break a lot of legitimate actions as well.