php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #53495 PHP should fail if executed as superuser and php.ini is world-writeable
Submitted: 2010-12-08 02:00 UTC Modified: 2016-08-12 16:37 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: marcel dot esser at gmail dot com Assigned: cmb (profile)
Status: Closed Package: PHP options/info functions
PHP Version: Irrelevant OS: UNIX-like
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
33 + 49 = ?
Subscribe to this entry?

 
 [2010-12-08 02:00 UTC] marcel dot esser at gmail dot com 
Description:
------------
PHP should fail if executed as root, and if the currently used php.ini is world 
writable.

If php.ini is left world-writable, an attacker can auto-pretend or auto-append 
malicious code to execute when a script is invoked as root.

Test script:
---------------
marcel@kekeke:~$ sudo php test.php
I am executing as root!
hello

marcel@kekeke:~$ cat /etc/php5/php.ini | grep -i auto_prepend
auto_prepend_file = /tmp/malice.php

marcel@kekeke:~$ ls -lah /tmp/malice.php 
-rw-r--r-- 1 marcel marcel 40 Dec  8 00:58 /tmp/malice.php

marcel@kekeke:~$ ls -lah /etc/php5/php.ini 
-rw-rw-rw- 1 root root 67K Dec  8 00:57 /etc/php5/php.ini

marcel@kekeke:~$ cat test.php
<?php
echo "hello\n";


Expected result:
----------------
PHP should error out fatal, probably.

Actual result:
--------------
PHP runs the malicious code.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-19 01:54 UTC] geissert@php.net 
Personal opinion follows:

a) If such a check was to be included, there's no reason to special case it to 
root. Arbitrary code execution under whatever user is an issue.

b) There are plenty of other ways to escalate privileges if files are world-
writeable. Only checking for php.ini's perms would give a false sense for 
security, while checking for every single file read by php would be paranoid and 
a waste of time.

There's an easier fix: don't make files world-writeable.

(I don't see anything in this report that requires it to be private, so I'm 
removing the flag.)
 [2011-03-23 02:39 UTC] felipe@php.net
-Package: Security related +Package: PHP options/info functions
 [2013-05-20 08:00 UTC] stas@php.net
-Type: Security +Type: Feature/Change Request
 [2016-08-12 16:37 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2016-08-12 16:37 UTC] cmb@php.net 
> Only checking for php.ini's perms would give a false sense for
> security, while checking for every single file read by php would
> be paranoid and a waste of time.

That. Also consider: if the PHP executable itself is
world-writable, all bets are off.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 17:01:29 2024 UTC