[php-maint] Bug#618489: Bug#618489: Bug#618489: Bug#618489: php5-common: priviledge escalation in /etc/cron.d/php5

Stephane Chazelas stephane.chazelas at seebyte.com
Thu Mar 17 09:45:23 UTC 2011


2011-03-17 08:41:28 +0100, Sean Finney:
> On Wed, 2011-03-16 at 21:57 -0600, Raphael Geissert wrote:
> > On 16 March 2011 03:40, sean finney <seanius at debian.org> wrote:
> > > On Wed, Mar 16, 2011 at 09:27:29AM +0000, Stephane Chazelas wrote:
> > >> No, please look carefully. It's not "passwd" that's the
> > >> symlink, it's foo (to /etc). rm would remove
> > >> /var/lib/php5/foo/passwd, that is it would unlink the "passwd"
> > >> entry from the directory pointed to by "foo", that is "/etc".
> > >
> > > oh, right.  well good catch then, i guess we'll need to prepare
> > > a stable security update...
> > 
> > Yes, I'm on it.
> > For sid I'm inclined to make /var/lib/php5 uid: root, gid: www-data,
> > and remove the world-rw mode. Why would we want to allow anyone else
> > to use that dir anyway? perhaps I'm missing some bits of history.
> 
> I would suggest instead of using -delete, that we use -maxdepth 1.

Note that the standard equivalent of find ... -maxdepth 1 is (as
I suggested in my initial report):

find .../. ! -name . -prune ...

(stricktly speaking, that would be more -mindepth 1 -maxdepth 1)

> I think technically there's still some small window of oppurtunity (maybe
> not exploitable, but still) in between the find comparisons and the
> delete action

GNU's -delete does some unlinkat(2) and find would use O_NOFOLLOW to
descend into subdirs, so I don't think there would be race
conditions there.

> and i don't think we need to decend into directories in
> the first place since the session files are all in the top level of
> that directory.

Agreed.

> i made a patch last night but my colo'd server has been
> up and down for the past few days :/  i'll attach it here instead of
> pushing it, so we can decide what makes the most sense.
> 
> Regarding the permissions, I also agree and don't know why they were
> world read/writable, whether someone was just copying the perms
> from /tmp or had a reason to do so.  Not sure whether that also warrants
> going into stable or not, but we could at least try it out in unstable
> and see if anyohne complains :)


[...]
> +09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm

Note that I gave a POSIX equivalent of that command.

Another reason for using -delete (you're using GNU syntax
anyway) is that files are removed just after their time stamp is
checked.

Cheers,
Stephane





More information about the pkg-php-maint mailing list