[php-maint] Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

[Stephane Chazelas]

2011-03-16 09:59:55 +0100, sean finney:
> Hi Stephane,

Hi Sean,

> On Tue, Mar 15, 2011 at 04:17:50PM +0000, Stephane Chazelas wrote:
> > 09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm
>  
> > when /var/lib/php5/foo/passwd has exceeded its maxlifetime but
> > not the ones in /var/lib/php5/bar, assuming foo appears before
> > bar, find will output /var/lib/php5/foo/passwd and then spend a
> > few minutes in /var/lib/php5/bar during which the attacker can
> > replace his /var/lib/php5/foo directory with a symlink to /etc.
> > Then xargs will remove /etc/passwd.
> 
> Wouldn't xargs just remove the symlink?  I could see this being a
> problem if xargs was putting something *into* the files, but don't
> see the particular issue here.
[...]

No, please look carefully. It's not "passwd" that's the
symlink, it's foo (to /etc). rm would remove
/var/lib/php5/foo/passwd, that is it would unlink the "passwd"
entry from the directory pointed to by "foo", that is "/etc".

It's such a common mistake that it is documented in GNU
findutils documentation which I gave a reference to.

Cheers,
Stephane