On behalf of whom are PHP scripts executed?

V

Vladimir2021-02-14 14:22:42

PHP

Vladimir, 2021-02-14 14:22:42

I always thought that only a process running as root can change its uid to any other without unnecessary gestures through the setuid system call. Well, that is, if the executable file does not have the suid bit set.

But I read this in "Hardening Wordpress": "When you tell WordPress to perform an automatic update, all file operations are performed as the user that owns the files, not as the web server's user."

What is it like? The apache service initially starts as root, changes itself to www-data, and then works like this from www-data. Can he change his uid from www-data to any other?

PS. suexec is not used;
P.P.S. the main files / directories of WP (since we are talking about it) have the owner wwwuser:www-data and the rights 0640/0750;
PPPS. I did not expose any suid bits to anyone.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

N

nokimaro, 2021-02-14
@Yumashka

You understand everything correctly, and if PHP scripts are executed by Apache, which, in turn, is launched from the www-data user, then in terms of rights differentiation, everything will work exactly as expected. If www-data does not have the suid flag, then the scripts will not be able to elevate or change the user.
There is a breakdown of this question on SO https://wordpress.stackexchange.com/questions/3787...
In short, the above quote from "Hardening Wordpress" is incorrect and misleading.