[php-maint] Bug#766147: php5-common: session cleanup can be misused to change modification time of arbitrary files to "now" when symlink protection not enabled

Fiedler Roman Roman.Fiedler at ait.ac.at
Tue Oct 21 07:52:46 UTC 2014

Package: php5-common 
Version: 5.4.4-14+deb7u14
Tags: security

/usr/lib/php5/sessionclean from [1] enables any process allowed to create
entries in /var/lib/php5 to adjust the modification time of any file by
waiting for the /etc/cron.d/php5 session cleanup job to run. This requires
/proc/sys/fs/protected_symlinks to be set to 0 (off), which is not the
default in Debian 7 Wheezy and up according to information from Debian
security team.

Even for affected systems, the impact might be small, just annoying:

* backup/IDS might be unhappy when file modification time is changed every
* some spoolers might work differently since stale file could be prevented
from reaching required age for next action
* some privileged /proc or /sys entries might not handle modification time
update correctly or react in a strange way
* Sudo credentials cache might be affected (not checked)

To my judgement, the session cleanup code does _NOT_ allow to create
arbitrary files ("touch -c" is used), hence it would not be possible to use
this to create e.g. /etc/suid-debug


su -s /bin/bash nobody
cd /var/lib/php5
ln -s /etc/passwd xxx
cat > "xxx yyy"
# wait


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6344 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20141021/34b7dd49/attachment.bin>

More information about the pkg-php-maint mailing list