php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #16126 security problem when handling ~user
Submitted: 2002-03-17 10:59 UTC Modified: 2002-03-17 11:10 UTC
From: ofer at edvicesecurity dot com Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: 4.1.0 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ofer at edvicesecurity dot com
New email:
PHP Version: OS:

 

 [2002-03-17 10:59 UTC] ofer at edvicesecurity dot com 
Ok.. this is not exactly a 'bug', but rather something that seems like a security design problem. I already mailed security@apache.org, cause I think this falls somehow between the two, but I am sending it to the PHP team as well. I hope this is the right address to mail it to, if not, please tell me where to send it to, or forward it to whoever needs to read it. 

anyway, here goes:
------------------------------------------------------------
Hello,

I have recently build a page under a certain linux host running Apache + PHP, under a regular user I have on that machine (I do not have root access or apache administration access - it's simply an educational computer with hundreds of accounts, all allowing ~user under the public_html directory).

Now, what I have noticed is interesting and troubling alltogether, unless I am missing some major configuration bit (though I did look throuhg the httpd.conf AND searched the site documents for it). 
All the PHP scripts I am running, are running using the Apache:Apache user and group, instead of using MyUser:MyGroup. This has several security implications: 
1. I can upload throuhg it a lot more files to my home directory than my quota allows.
2. I need to give all the data files I want to update a 666 permissions, and all upload directories 777, so the apache user can write to the, which risks my files. 
3. Even if I build the scrips so they will create the files under the apache:apache user (so a simple 644 is enough for the file to be updated by the PHP, thuogh then I can't update it manually), then every other user in the system can build a php script that erases or changes all my files.
4. _I_ can change the contents of every other file any user have put in his home directory with write permissions to the apache server.
5. I can change/erase many default installation files of the apache server that were installed as apache:apache.

The solution to all this is obviously very very simple. The mapping of the UserDir should make sure that once a directory is accessed using ~, the apache httpd will open a new instance of the httpd, running with euid and egid of the user appearing after the ~, that will access his homepage. However, I was unable to find such a configuration option.

So, I would like to know if I have missed something out (as did the administrator of the computer I am using), and this is, indeed, configurable, or whether this is, in fact, a major security problem. 

Thanks in advance for the infromation,

Ofer Maor
Senior Security Consultant
eDvice Security Services.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-17 11:10 UTC] rasmus@php.net 
This is basically an RTFM.  Sent an explanation privately.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Jun 26 16:01:30 2024 UTC