[php-maint] Bug#618489: Bug#618489: Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5
Stephane Chazelas
stephane.chazelas at seebyte.com
Thu Mar 17 09:45:23 UTC 2011
2011-03-17 08:41:28 +0100, Sean Finney:
> On Wed, 2011-03-16 at 21:57 -0600, Raphael Geissert wrote:
> > On 16 March 2011 03:40, sean finney <seanius at debian.org> wrote:
> > > On Wed, Mar 16, 2011 at 09:27:29AM +0000, Stephane Chazelas wrote:
> > >> No, please look carefully. It's not "passwd" that's the
> > >> symlink, it's foo (to /etc). rm would remove
> > >> /var/lib/php5/foo/passwd, that is it would unlink the "passwd"
> > >> entry from the directory pointed to by "foo", that is "/etc".
> > >
> > > oh, right. well good catch then, i guess we'll need to prepare
> > > a stable security update...
> >
> > Yes, I'm on it.
> > For sid I'm inclined to make /var/lib/php5 uid: root, gid: www-data,
> > and remove the world-rw mode. Why would we want to allow anyone else
> > to use that dir anyway? perhaps I'm missing some bits of history.
>
> I would suggest instead of using -delete, that we use -maxdepth 1.
Note that the standard equivalent of find ... -maxdepth 1 is (as
I suggested in my initial report):
find .../. ! -name . -prune ...
(stricktly speaking, that would be more -mindepth 1 -maxdepth 1)
> I think technically there's still some small window of oppurtunity (maybe
> not exploitable, but still) in between the find comparisons and the
> delete action
GNU's -delete does some unlinkat(2) and find would use O_NOFOLLOW to
descend into subdirs, so I don't think there would be race
conditions there.
> and i don't think we need to decend into directories in
> the first place since the session files are all in the top level of
> that directory.
Agreed.
> i made a patch last night but my colo'd server has been
> up and down for the past few days :/ i'll attach it here instead of
> pushing it, so we can decide what makes the most sense.
>
> Regarding the permissions, I also agree and don't know why they were
> world read/writable, whether someone was just copying the perms
> from /tmp or had a reason to do so. Not sure whether that also warrants
> going into stable or not, but we could at least try it out in unstable
> and see if anyohne complains :)
[...]
> +09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm
Note that I gave a POSIX equivalent of that command.
Another reason for using -delete (you're using GNU syntax
anyway) is that files are removed just after their time stamp is
checked.
Cheers,
Stephane
More information about the pkg-php-maint
mailing list