php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #7933 install sets dangerous user.group's
Submitted: 2000-11-22 16:27 UTC Modified: 2001-04-27 21:26 UTC
From: andre at tomt dot net Assigned:
Status: Closed Package: Installation problem
PHP Version: 4.0.3pl1 OS: Linux-2.2.18pre22-hard-vm
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: andre at tomt dot net
New email:
PHP Version: OS:

 

 [2000-11-22 16:27 UTC] andre at tomt dot net
The installation from the source tarballs installs a lot of include files with a wrong owner.group flag. This can be potentially very dangerous, allowing a user with the same UID, and in some cases the same GID as the files, to modify header files in the PHP installation.

This also goes for some files installed by apache's makefile's, but on less "dangerous" files. A separate bug-report will be issued in their direction later tonight.

Here's a list of the files not owned by root.
/usr/local/include/php/Zend/FlexLexer.h
/usr/local/include/php/Zend/acconfig.h
/usr/local/include/php/Zend/modules.h
/usr/local/include/php/Zend/zend-parser.h
/usr/local/include/php/Zend/zend-scanner.h
/usr/local/include/php/Zend/zend.h
/usr/local/include/php/Zend/zend_API.h
/usr/local/include/php/Zend/zend_alloc.h
/usr/local/include/php/Zend/zend_builtin_functions.h
/usr/local/include/php/Zend/zend_compile.h
/usr/local/include/php/Zend/zend_config.w32.h
/usr/local/include/php/Zend/zend_constants.h
/usr/local/include/php/Zend/zend_dynamic_array.h
/usr/local/include/php/Zend/zend_errors.h
/usr/local/include/php/Zend/zend_execute.h
/usr/local/include/php/Zend/zend_execute_locks.h
/usr/local/include/php/Zend/zend_extensions.h
/usr/local/include/php/Zend/zend_fast_cache.h
/usr/local/include/php/Zend/zend_globals.h
/usr/local/include/php/Zend/zend_globals_macros.h
/usr/local/include/php/Zend/zend_hash.h
/usr/local/include/php/Zend/zend_highlight.h
/usr/local/include/php/Zend/zend_indent.h
/usr/local/include/php/Zend/zend_list.h
/usr/local/include/php/Zend/zend_llist.h
/usr/local/include/php/Zend/zend_operators.h
/usr/local/include/php/Zend/zend_ptr_stack.h
/usr/local/include/php/Zend/zend_stack.h
/usr/local/include/php/Zend/zend_static_allocator.h
/usr/local/include/php/Zend/zend_variables.h
/usr/local/include/php/TSRM/TSRM.h
/usr/local/include/php/TSRM/acconfig.h
/usr/local/include/php/TSRM/readdir.h
/usr/local/include/php/TSRM/tsrm_config.w32.h
/usr/local/include/php/TSRM/tsrm_config_common.h
/usr/local/include/php/TSRM/tsrm_strtok_r.h
/usr/local/include/php/TSRM/tsrm_virtual_cwd.h
/usr/local/include/php/ext/standard/base64.h
/usr/local/include/php/ext/standard/basic_functions.h
/usr/local/include/php/ext/standard/cyr_convert.h
/usr/local/include/php/ext/standard/datetime.h
/usr/local/include/php/ext/standard/dl.h
/usr/local/include/php/ext/standard/dns.h
/usr/local/include/php/ext/standard/exec.h
/usr/local/include/php/ext/standard/file.h
/usr/local/include/php/ext/standard/flock_compat.h
/usr/local/include/php/ext/standard/fsock.h
/usr/local/include/php/ext/standard/head.h
/usr/local/include/php/ext/standard/html.h
/usr/local/include/php/ext/standard/info.h
/usr/local/include/php/ext/standard/md5.h
/usr/local/include/php/ext/standard/microtime.h
/usr/local/include/php/ext/standard/pack.h
/usr/local/include/php/ext/standard/pageinfo.h
/usr/local/include/php/ext/standard/php_array.h
/usr/local/include/php/ext/standard/php_assert.h
/usr/local/include/php/ext/standard/php_browscap.h
/usr/local/include/php/ext/standard/php_crypt.h
/usr/local/include/php/ext/standard/php_dir.h
/usr/local/include/php/ext/standard/php_ext_syslog.h
/usr/local/include/php/ext/standard/php_filestat.h
/usr/local/include/php/ext/standard/php_image.h
/usr/local/include/php/ext/standard/php_incomplete_class.h
/usr/local/include/php/ext/standard/php_iptc.h
/usr/local/include/php/ext/standard/php_lcg.h
/usr/local/include/php/ext/standard/php_link.h
/usr/local/include/php/ext/standard/php_mail.h
/usr/local/include/php/ext/standard/php_math.h
/usr/local/include/php/ext/standard/php_metaphone.h
/usr/local/include/php/ext/standard/php_output.h
/usr/local/include/php/ext/standard/php_parsedate.h
/usr/local/include/php/ext/standard/php_rand.h
/usr/local/include/php/ext/standard/php_standard.h
/usr/local/include/php/ext/standard/php_string.h
/usr/local/include/php/ext/standard/php_var.h
/usr/local/include/php/ext/standard/quot_print.h
/usr/local/include/php/ext/standard/reg.h
/usr/local/include/php/ext/standard/scanf.h
/usr/local/include/php/ext/standard/type.h
/usr/local/include/php/ext/standard/uniqid.h
/usr/local/include/php/ext/standard/url.h
/usr/local/include/php/ext/standard/url_scanner.h
/usr/local/include/php/ext/standard/php_smart_str.h
/usr/local/include/php/ext/standard/url_scanner_ex.h
/usr/local/include/php/ext/xml/expat/xmlparse/expat_hashtable.h
/usr/local/include/php/ext/xml/expat/xmlparse/xmlparse.h
/usr/local/include/php/ext/xml/expat/xmltok/asciitab.h
/usr/local/include/php/ext/xml/expat/xmltok/iasciitab.h
/usr/local/include/php/ext/xml/expat/xmltok/latin1tab.h
/usr/local/include/php/ext/xml/expat/xmltok/nametab.h
/usr/local/include/php/ext/xml/expat/xmltok/utf8tab.h
/usr/local/include/php/ext/xml/expat/xmltok/xmldef.h
/usr/local/include/php/ext/xml/expat/xmltok/xmlrole.h
/usr/local/include/php/ext/xml/expat/xmltok/xmltok.h
/usr/local/include/php/ext/xml/expat/xmltok/xmltok_impl.h
/usr/local/include/php/ext/xml/php_xml.h
/usr/local/include/php/main/SAPI.h
/usr/local/include/php/main/config.w32.h
/usr/local/include/php/main/configuration-parser.h
/usr/local/include/php/main/fdfdata.h
/usr/local/include/php/main/fopen-wrappers.h
/usr/local/include/php/main/internal_functions_registry.h
/usr/local/include/php/main/logos.h
/usr/local/include/php/main/php.h
/usr/local/include/php/main/php3_compat.h
/usr/local/include/php/main/php_compat.h
/usr/local/include/php/main/php_content_types.h
/usr/local/include/php/main/php_globals.h
/usr/local/include/php/main/php_ini.h
/usr/local/include/php/main/php_main.h
/usr/local/include/php/main/php_reentrancy.h
/usr/local/include/php/main/php_regex.h
/usr/local/include/php/main/php_syslog.h
/usr/local/include/php/main/php_ticks.h
/usr/local/include/php/main/php_variables.h
/usr/local/include/php/main/php_version.h
/usr/local/include/php/main/rfc1867.h
/usr/local/include/php/main/safe_mode.h
/usr/local/include/php/main/snprintf.h
/usr/local/include/php/main/win95nt.h
/usr/local/include/php/main/php_network.h
/usr/local/include/php/main/php_open_temporary_file.h
/usr/local/include/php/regex/cclass.h
/usr/local/include/php/regex/cname.h
/usr/local/include/php/regex/regex.h
/usr/local/include/php/regex/regex2.h
/usr/local/include/php/regex/regex_extra.h
/usr/local/include/php/regex/utils.h
/usr/local/include/php/acconfig.h

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-12-18 11:32 UTC] sniper@php.net
Setting the permissions and owner's of files is your 
duty and responsibility. 

--Jani
 [2000-12-19 03:21 UTC] andre at tomt dot net
Ok, I'm posting some more info, on request.

The 'problem' seems to be that theese header files get installed without shtool setting sane ownerships. If you untar/compile it as root, you get whatever uid/gid ownership those files had inside the tarball. If you on the other hand untar/compile it as a 'normal' user, they will probably get that users ownership (untested).

For the record, ownerships are 'wrong' after installation (make install), in $PREFIX/include/php

Of course this is no problem for paranoid admins like me, who check things often, but for the average person installing PHP, this could be a issue.

-- 
trippeh.
 [2001-04-27 21:26 UTC] sniper@php.net
The header files get installed with the same user/group
as the user installing them is. At least all files
I have installed (latest CVS) have root.root as owners.

--Jani

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 02:01:29 2024 UTC