[webapps] PHP files owner
Jakub Bogusz
qboosh at pld-linux.org
Sat Jun 16 20:19:37 CEST 2007
Just some notes...
On Wed, Jun 13, 2007 at 01:52:01AM +0200, Tomasz Pala wrote:
[...]
> Assuming a bug in any webapp, e.g. seeking to any file or executing a
> binary:
> - safe_mode - as long as root is the owner, an attacker can read root's
> files having o+r or (g=http)+r, e.g. /etc/passwd or files containing
> database passwords: /etc/webapps/coppermine-gallery/config.inc.php,
> /etc/webapps/mediawiki/AdminSettings.php,
> /etc/webapps/phpMyAdmin/config.inc.php, /etc/webapps/phpwiki/config.ini,
> /etc/webapps/stacks-wiki/db.php, /etc/webapps/zabbix/db.inc.php
> Changing script owner makes safe_mode block this[1]. For now open_basedir
> does it too, but as it is application-level security I don't trust it
> (there were bugs) and IMHO it would be better to have them two work
> together,
> - suPHP and any other solution involving EUID changes - they are all
> SUID and it's obvious, that the sooner they drop to ordinary user
> (script owner) the better. Why give them a chance to stay and work
> with EUID=0? And this time the threat is bigger (although the system
> seems to be more secure! for users at least) - it includes not only
> reading some files, but also executing a code with root priviledges.
>
> My conclusion: there are some paths of priviledges propagation from
> script owners. However the risk is low and dependant of system
> configuration, we shall avoid it. We should not trust separation above
> operating system.
>
> [1] even more - we must set safe_mode_include_dir for every application
> so that is could read it's configuration file. This way we are sure that
> no other PHP script will have access.
Actually safe_mode is application-level (interpreter-level) too, placed
above operating system.
And suPHP utilizes OS security (although it exposes higher risk in case
of bug in its code running with EUID=0).
--
Jakub Bogusz http://qboosh.pl/
More information about the pld-devel-en
mailing list