Giving Up Privileges

A classic security precaution when writing Unix daemons is having them drop all unneeded privileges. Like being able to access files outside where they need to be, possessing unneeded privileges is a recipe for trouble. In the event that the code (or PHP itself) has an exploitable flaw, you can minimize damage by ensuring that a daemon is running as a user with minimal rights to alter files on the system. One way to approach this is to simply execute the daemon as the unprivileged user. This is usually inadequate if the program needs to initially open resources (logfiles, data files, sockets, and so on) that the unprivileged user does not have rights to. If you are running as the root user, you can drop your privileges by using the posix_setuid() nd posiz_setgid() functions. Here is an example that changes the running program’s privileges to those of the user nobody: $pw= posix_getpwnam(‘nobody’); posix_setuid($pw[‘uid’]); posix_setgid($pw[‘gid’]); As with chroot(), any privileged resources that were open prior to dropping privileges remain open, but new ones cannot be created.