[php-maint] Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

sean finney seanius at debian.org
Wed Mar 16 08:59:55 UTC 2011

Hi Stephane,

On Tue, Mar 15, 2011 at 04:17:50PM +0000, Stephane Chazelas wrote:
> 09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm
> when /var/lib/php5/foo/passwd has exceeded its maxlifetime but
> not the ones in /var/lib/php5/bar, assuming foo appears before
> bar, find will output /var/lib/php5/foo/passwd and then spend a
> few minutes in /var/lib/php5/bar during which the attacker can
> replace his /var/lib/php5/foo directory with a symlink to /etc.
> Then xargs will remove /etc/passwd.

Wouldn't xargs just remove the symlink?  I could see this being a
problem if xargs was putting something *into* the files, but don't
see the particular issue here.


More information about the pkg-php-maint mailing list