php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #53495 PHP should fail if executed as superuser and php.ini is world-writeable
Submitted: 2010-12-08 02:00 UTC Modified: 2016-08-12 16:37 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: marcel dot esser at gmail dot com Assigned: cmb (profile)
Status: Closed Package: PHP options/info functions
PHP Version: Irrelevant OS: UNIX-like
Private report: No CVE-ID: None
 [2010-12-08 02:00 UTC] marcel dot esser at gmail dot com
Description:
------------
PHP should fail if executed as root, and if the currently used php.ini is world 
writable.

If php.ini is left world-writable, an attacker can auto-pretend or auto-append 
malicious code to execute when a script is invoked as root.

Test script:
---------------
marcel@kekeke:~$ sudo php test.php
I am executing as root!
hello

marcel@kekeke:~$ cat /etc/php5/php.ini | grep -i auto_prepend
auto_prepend_file = /tmp/malice.php

marcel@kekeke:~$ ls -lah /tmp/malice.php 
-rw-r--r-- 1 marcel marcel 40 Dec  8 00:58 /tmp/malice.php

marcel@kekeke:~$ ls -lah /etc/php5/php.ini 
-rw-rw-rw- 1 root root 67K Dec  8 00:57 /etc/php5/php.ini

marcel@kekeke:~$ cat test.php
<?php
echo "hello\n";


Expected result:
----------------
PHP should error out fatal, probably.

Actual result:
--------------
PHP runs the malicious code.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-19 01:54 UTC] geissert@php.net
Personal opinion follows:

a) If such a check was to be included, there's no reason to special case it to 
root. Arbitrary code execution under whatever user is an issue.

b) There are plenty of other ways to escalate privileges if files are world-
writeable. Only checking for php.ini's perms would give a false sense for 
security, while checking for every single file read by php would be paranoid and 
a waste of time.

There's an easier fix: don't make files world-writeable.

(I don't see anything in this report that requires it to be private, so I'm 
removing the flag.)
 [2011-03-23 02:39 UTC] felipe@php.net
-Package: Security related +Package: PHP options/info functions
 [2013-05-20 08:00 UTC] stas@php.net
-Type: Security +Type: Feature/Change Request
 [2016-08-12 16:37 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2016-08-12 16:37 UTC] cmb@php.net
> Only checking for php.ini's perms would give a false sense for
> security, while checking for every single file read by php would
> be paranoid and a waste of time.

That. Also consider: if the PHP executable itself is
world-writable, all bets are off.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Dec 04 18:01:23 2020 UTC