[php-maint] Bug#618489: Bug#618489: Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Sean Finney seanius at debian.org
Thu Mar 17 07:41:28 UTC 2011


On Wed, 2011-03-16 at 21:57 -0600, Raphael Geissert wrote:
> On 16 March 2011 03:40, sean finney <seanius at debian.org> wrote:
> > On Wed, Mar 16, 2011 at 09:27:29AM +0000, Stephane Chazelas wrote:
> >> No, please look carefully. It's not "passwd" that's the
> >> symlink, it's foo (to /etc). rm would remove
> >> /var/lib/php5/foo/passwd, that is it would unlink the "passwd"
> >> entry from the directory pointed to by "foo", that is "/etc".
> >
> > oh, right.  well good catch then, i guess we'll need to prepare
> > a stable security update...
> 
> Yes, I'm on it.
> For sid I'm inclined to make /var/lib/php5 uid: root, gid: www-data,
> and remove the world-rw mode. Why would we want to allow anyone else
> to use that dir anyway? perhaps I'm missing some bits of history.

I would suggest instead of using -delete, that we use -maxdepth 1.  I
think technically there's still some small window of oppurtunity (maybe
not exploitable, but still) in between the find comparisons and the
delete action, and i don't think we need to decend into directories in
the first place since the session files are all in the top level of
that directory.  i made a patch last night but my colo'd server has been
up and down for the past few days :/  i'll attach it here instead of
pushing it, so we can decide what makes the most sense.

Regarding the permissions, I also agree and don't know why they were
world read/writable, whether someone was just copying the perms
from /tmp or had a reason to do so.  Not sure whether that also warrants
going into stable or not, but we could at least try it out in unstable
and see if anyohne complains :)

thoughts?

	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-session-gc-cronjob-to-prevent-race-condition-wit.patch
Type: text/x-patch
Size: 1151 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20110317/e2339514/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20110317/e2339514/attachment.pgp>


More information about the pkg-php-maint mailing list