PHP :: Bug #2360 :: Chmod in safe mode allows setuid bits

Bug #2360	Chmod in safe mode allows setuid bits
Submitted:	1999-09-22 16:30 UTC	Modified:	2000-06-09 12:37 UTC
From:	mic at uts dot cc dot utexas dot edu	Assigned:
Status:	Closed	Package:	Misbehaving function
PHP Version:	4.0 Beta 2	OS:	Digital Unix 4.0F
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[1999-09-22 16:30 UTC] mic at uts dot cc dot utexas dot edu

The chmod function can set the setuid bit on a file that the script has created.  Since these files are owned by the Web server uid, even in safe mode you can create a setuid copy of /bin/sh using a PHP script and then use the setuid shell to access files as the Web server user.  I can supply my test script upon request.

This issue is a moot point when safe mode is not in effect, since then you can simply exec any shell command you want as the Web server uid. Sites that do use safe mode to restrict program execution under the Web server uid are more prone to the problem, and then only if they offer interactive login access and also have user-writable file systems that allow setuid program execution.  This is a fairly small set of sites but it's probably nonempty.

Chmod should probably not allow setuid bits when safe mode is in effect.

Regards,

Mic Kaczmarczik
mic@uts.cc.utexas.edu

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-06-09 12:37 UTC] stas at cvs dot php dot net

fixed in cvs

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon May 20 20:01:32 2024 UTC