Just some notes... On Wed, Jun 13, 2007 at 01:52:01AM +0200, Tomasz Pala wrote: [...] > Assuming a bug in any webapp, e.g. seeking to any file or executing a > binary: > - safe_mode - as long as root is the owner, an attacker can read root's > files having o+r or (g=http)+r, e.g. /etc/passwd or files containing > database passwords: /etc/webapps/coppermine-gallery/config.inc.php, > /etc/webapps/mediawiki/AdminSettings.php, > /etc/webapps/phpMyAdmin/config.inc.php, /etc/webapps/phpwiki/config.ini, > /etc/webapps/stacks-wiki/db.php, /etc/webapps/zabbix/db.inc.php > Changing script owner makes safe_mode block this[1]. For now open_basedir > does it too, but as it is application-level security I don't trust it > (there were bugs) and IMHO it would be better to have them two work > together, > - suPHP and any other solution involving EUID changes - they are all > SUID and it's obvious, that the sooner they drop to ordinary user > (script owner) the better. Why give them a chance to stay and work > with EUID=0? And this time the threat is bigger (although the system > seems to be more secure! for users at least) - it includes not only > reading some files, but also executing a code with root priviledges. > > My conclusion: there are some paths of priviledges propagation from > script owners. However the risk is low and dependant of system > configuration, we shall avoid it. We should not trust separation above > operating system. > > [1] even more - we must set safe_mode_include_dir for every application > so that is could read it's configuration file. This way we are sure that > no other PHP script will have access.
Actually safe_mode is application-level (interpreter-level) too, placed above operating system. And suPHP utilizes OS security (although it exposes higher risk in case of bug in its code running with EUID=0). -- Jakub Bogusz http://qboosh.pl/ _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en