Would it help to add a disabled_functions list in php.ini? Unless
these functions are needed by Mozdev internal scripts, disabling these
might help:
* system
* exec
* shell_exec
* proc_open
* passthru
* mysql_list_dbs
* dl
* leak (I'm not sure if this is still available in PHP)
These could also be set for greater security (if needed):
* openlog
* syslog
* symlink
* link
* apache_child_terminate
* apache_note
* apache_getenv
* apache_setenv
* virtual
This setting can only be set in php.ini, not httpd.conf or .htaccess or
ini_set(). More info:
http://php.net/manual/en/ini.core.php#ini.disable-functions
There may be other php.ini settings that could be set (like
open_basedir:
http://www.php.net/manual/en/ini.core.php#ini.open-basedir) for greater
security.
--Jake
P.S. PHP is still disabled for the mp4downloader project. I sent an
email to the sysadmin list, but nothing has changed yet. I don't use PHP
much on this site except to redirect users to Drupal (pretty important,
since most people go to mp4downloader.mozdev.org instead of
mp4downloader.mozdev.org/drupal) and to handle changelog access from
testing versions of my add-on (not having PHP is really messing this up,
but it isn't too important because it is just a testing version).
P.S. (again): I can still run PHP code in local.conf, even though PHP is
disabled in my project. I guess this is necessary for certain settings
and stuff, but it also opens up a security hole.
On 09/29/2010 09:48 AM, Pete Collins wrote:
>
> On 9/29/10 5:32 AM, Robert Kaiser wrote:
>>
>> I guess that the particular setup of automated PHP stuff on mozdev
>> must have some problem. Neither the operating system nor PHP by
>> itself are security risks, or else they would not both be in use in
>> highly attack-prone setups. I guess the particular code mozdev uses
>> for automating a number of things has a problem and would need a
>> security audit, which is not so easy when you have a resource
>> shortage like this project does.
>>
>
> The security risk is that project owners having access to php and the
> write access to the database ...
>
> For the 9 years Mozdev has been up, everyone has operated and used
> these resources responsibly.
>
> This issue needed to be addressed and so now we are addressing it.
>
> --pete
>
> -- Pete Collins - Founder, Mozdev Group Inc.
> www.mozdevgroup.com
> Mozilla Software Development Solutions
> tel: 1-719-302-5811
> fax: 1-719-302-5813
>
> _______________________________________________
> Project_owners mailing list
> Project_owners@mozdev.org
> https://www.mozdev.org/mailman/listinfo/project_owners
>
>
_______________________________________________
Project_owners mailing list
Project_owners@mozdev.org
https://www.mozdev.org/mailman/listinfo/project_owners
