PHP :: Bug #7933 :: install sets dangerous user.group's

Bug #7933	install sets dangerous user.group's
Submitted:	2000-11-22 16:27 UTC	Modified:	2001-04-27 21:26 UTC
From:	andre at tomt dot net	Assigned:
Status:	Closed	Package:	Installation problem
PHP Version:	4.0.3pl1	OS:	Linux-2.2.18pre22-hard-vm
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2000-11-22 16:27 UTC] andre at tomt dot net

The installation from the source tarballs installs a lot of include files with a wrong owner.group flag. This can be potentially very dangerous, allowing a user with the same UID, and in some cases the same GID as the files, to modify header files in the PHP installation.

This also goes for some files installed by apache's makefile's, but on less "dangerous" files. A separate bug-report will be issued in their direction later tonight.

Here's a list of the files not owned by root.
/usr/local/include/php/Zend/FlexLexer.h
/usr/local/include/php/Zend/acconfig.h
/usr/local/include/php/Zend/modules.h
/usr/local/include/php/Zend/zend-parser.h
/usr/local/include/php/Zend/zend-scanner.h
/usr/local/include/php/Zend/zend.h
/usr/local/include/php/Zend/zend_API.h
/usr/local/include/php/Zend/zend_alloc.h
/usr/local/include/php/Zend/zend_builtin_functions.h
/usr/local/include/php/Zend/zend_compile.h
/usr/local/include/php/Zend/zend_config.w32.h
/usr/local/include/php/Zend/zend_constants.h
/usr/local/include/php/Zend/zend_dynamic_array.h
/usr/local/include/php/Zend/zend_errors.h
/usr/local/include/php/Zend/zend_execute.h
/usr/local/include/php/Zend/zend_execute_locks.h
/usr/local/include/php/Zend/zend_extensions.h
/usr/local/include/php/Zend/zend_fast_cache.h
/usr/local/include/php/Zend/zend_globals.h
/usr/local/include/php/Zend/zend_globals_macros.h
/usr/local/include/php/Zend/zend_hash.h
/usr/local/include/php/Zend/zend_highlight.h
/usr/local/include/php/Zend/zend_indent.h
/usr/local/include/php/Zend/zend_list.h
/usr/local/include/php/Zend/zend_llist.h
/usr/local/include/php/Zend/zend_operators.h
/usr/local/include/php/Zend/zend_ptr_stack.h
/usr/local/include/php/Zend/zend_stack.h
/usr/local/include/php/Zend/zend_static_allocator.h
/usr/local/include/php/Zend/zend_variables.h
/usr/local/include/php/TSRM/TSRM.h
/usr/local/include/php/TSRM/acconfig.h
/usr/local/include/php/TSRM/readdir.h
/usr/local/include/php/TSRM/tsrm_config.w32.h
/usr/local/include/php/TSRM/tsrm_config_common.h
/usr/local/include/php/TSRM/tsrm_strtok_r.h
/usr/local/include/php/TSRM/tsrm_virtual_cwd.h
/usr/local/include/php/ext/standard/base64.h
/usr/local/include/php/ext/standard/basic_functions.h
/usr/local/include/php/ext/standard/cyr_convert.h
/usr/local/include/php/ext/standard/datetime.h
/usr/local/include/php/ext/standard/dl.h
/usr/local/include/php/ext/standard/dns.h
/usr/local/include/php/ext/standard/exec.h
/usr/local/include/php/ext/standard/file.h
/usr/local/include/php/ext/standard/flock_compat.h
/usr/local/include/php/ext/standard/fsock.h
/usr/local/include/php/ext/standard/head.h
/usr/local/include/php/ext/standard/html.h
/usr/local/include/php/ext/standard/info.h
/usr/local/include/php/ext/standard/md5.h
/usr/local/include/php/ext/standard/microtime.h
/usr/local/include/php/ext/standard/pack.h
/usr/local/include/php/ext/standard/pageinfo.h
/usr/local/include/php/ext/standard/php_array.h
/usr/local/include/php/ext/standard/php_assert.h
/usr/local/include/php/ext/standard/php_browscap.h
/usr/local/include/php/ext/standard/php_crypt.h
/usr/local/include/php/ext/standard/php_dir.h
/usr/local/include/php/ext/standard/php_ext_syslog.h
/usr/local/include/php/ext/standard/php_filestat.h
/usr/local/include/php/ext/standard/php_image.h
/usr/local/include/php/ext/standard/php_incomplete_class.h
/usr/local/include/php/ext/standard/php_iptc.h
/usr/local/include/php/ext/standard/php_lcg.h
/usr/local/include/php/ext/standard/php_link.h
/usr/local/include/php/ext/standard/php_mail.h
/usr/local/include/php/ext/standard/php_math.h
/usr/local/include/php/ext/standard/php_metaphone.h
/usr/local/include/php/ext/standard/php_output.h
/usr/local/include/php/ext/standard/php_parsedate.h
/usr/local/include/php/ext/standard/php_rand.h
/usr/local/include/php/ext/standard/php_standard.h
/usr/local/include/php/ext/standard/php_string.h
/usr/local/include/php/ext/standard/php_var.h
/usr/local/include/php/ext/standard/quot_print.h
/usr/local/include/php/ext/standard/reg.h
/usr/local/include/php/ext/standard/scanf.h
/usr/local/include/php/ext/standard/type.h
/usr/local/include/php/ext/standard/uniqid.h
/usr/local/include/php/ext/standard/url.h
/usr/local/include/php/ext/standard/url_scanner.h
/usr/local/include/php/ext/standard/php_smart_str.h
/usr/local/include/php/ext/standard/url_scanner_ex.h
/usr/local/include/php/ext/xml/expat/xmlparse/expat_hashtable.h
/usr/local/include/php/ext/xml/expat/xmlparse/xmlparse.h
/usr/local/include/php/ext/xml/expat/xmltok/asciitab.h
/usr/local/include/php/ext/xml/expat/xmltok/iasciitab.h
/usr/local/include/php/ext/xml/expat/xmltok/latin1tab.h
/usr/local/include/php/ext/xml/expat/xmltok/nametab.h
/usr/local/include/php/ext/xml/expat/xmltok/utf8tab.h
/usr/local/include/php/ext/xml/expat/xmltok/xmldef.h
/usr/local/include/php/ext/xml/expat/xmltok/xmlrole.h
/usr/local/include/php/ext/xml/expat/xmltok/xmltok.h
/usr/local/include/php/ext/xml/expat/xmltok/xmltok_impl.h
/usr/local/include/php/ext/xml/php_xml.h
/usr/local/include/php/main/SAPI.h
/usr/local/include/php/main/config.w32.h
/usr/local/include/php/main/configuration-parser.h
/usr/local/include/php/main/fdfdata.h
/usr/local/include/php/main/fopen-wrappers.h
/usr/local/include/php/main/internal_functions_registry.h
/usr/local/include/php/main/logos.h
/usr/local/include/php/main/php.h
/usr/local/include/php/main/php3_compat.h
/usr/local/include/php/main/php_compat.h
/usr/local/include/php/main/php_content_types.h
/usr/local/include/php/main/php_globals.h
/usr/local/include/php/main/php_ini.h
/usr/local/include/php/main/php_main.h
/usr/local/include/php/main/php_reentrancy.h
/usr/local/include/php/main/php_regex.h
/usr/local/include/php/main/php_syslog.h
/usr/local/include/php/main/php_ticks.h
/usr/local/include/php/main/php_variables.h
/usr/local/include/php/main/php_version.h
/usr/local/include/php/main/rfc1867.h
/usr/local/include/php/main/safe_mode.h
/usr/local/include/php/main/snprintf.h
/usr/local/include/php/main/win95nt.h
/usr/local/include/php/main/php_network.h
/usr/local/include/php/main/php_open_temporary_file.h
/usr/local/include/php/regex/cclass.h
/usr/local/include/php/regex/cname.h
/usr/local/include/php/regex/regex.h
/usr/local/include/php/regex/regex2.h
/usr/local/include/php/regex/regex_extra.h
/usr/local/include/php/regex/utils.h
/usr/local/include/php/acconfig.h

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-12-18 11:32 UTC] sniper@php.net

Setting the permissions and owner's of files is your 
duty and responsibility. 

--Jani

[2000-12-19 03:21 UTC] andre at tomt dot net

Ok, I'm posting some more info, on request.

The 'problem' seems to be that theese header files get installed without shtool setting sane ownerships. If you untar/compile it as root, you get whatever uid/gid ownership those files had inside the tarball. If you on the other hand untar/compile it as a 'normal' user, they will probably get that users ownership (untested).

For the record, ownerships are 'wrong' after installation (make install), in $PREFIX/include/php

Of course this is no problem for paranoid admins like me, who check things often, but for the average person installing PHP, this could be a issue.

-- 
trippeh.

[2001-04-27 21:26 UTC] sniper@php.net

The header files get installed with the same user/group
as the user installing them is. At least all files
I have installed (latest CVS) have root.root as owners.

--Jani

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 03:01:28 2024 UTC