[php-maint] Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5
Stephane Chazelas
stephane.chazelas at seebyte.com
Tue Mar 15 16:17:50 UTC 2011
Package: php5-common
Version: 5.3.5-1
Severity: normal
/etc/cron.d/php5 has:
09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm
$ ls -dl /var/lib/php5
drwx-wx-wt 2 root root 4096 Mar 15 15:40 /var/lib/php5/
That basically allows anyone to have root remove any file on
the file system.
For instance, by creating a:
/var/lib/php5/foo/passwd file, and then a million files in
/var/lib/php5/bar a few minutes later
when /var/lib/php5/foo/passwd has exceeded its maxlifetime but
not the ones in /var/lib/php5/bar, assuming foo appears before
bar, find will output /var/lib/php5/foo/passwd and then spend a
few minutes in /var/lib/php5/bar during which the attacker can
replace his /var/lib/php5/foo directory with a symlink to /etc.
Then xargs will remove /etc/passwd.
Some work arounds:
- do not descend into subdirectories
find /var/lib/php5/. ! -name . -prune -type f -cmin +"$(/usr/lib/php5/maxlifetime)" -exec rm -f {} +
(note the POSIX syntax instead of the non-standard GNU one)
- Or use non-standard find options -execdir or -delete.
find /var/lib/php5/ -type f -cmin +"$(/usr/lib/php5/maxlifetime)" -delete
or:
find /var/lib/php5/ -type f -cmin +"$(/usr/lib/php5/maxlifetime)" -execdir rm -f {} \;
See info -n 'Security Considerations' -f find
for details
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.37-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5-common depends on:
ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib
ii sed 4.2.1-9 The GNU sed stream editor
Versions of packages php5-common recommends:
ii php5-suhosin 0.9.32.1-1 advanced protection module for php
php5-common suggests no packages.
-- no debconf information
More information about the pkg-php-maint
mailing list