Re: [PHP] safe mode bug ?
On Sun, Jun 06, 2004 at 03:03:00PM +0200, Andreas John wrote: Hi! There are 2.5 possibilities that make sense. a.) mod_suphp [Any volunteers to put that into debian tree??:-)] www.suphp.org I've got preliminary packages for it (with an ITP). I'm going to put it somewhere and I'm able to give it to any DD for integration in debian. -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [PHP] safe mode bug ?
Robert Hensel [EMAIL PROTECTED] writes: Hi, I understand that there are a lot of solutions to make PHP more safe. And of course,I don't see safe_mode as _the_ solution. But I definetly consider it to be a good extra protection, just like basedir restrictions, and the problem I described seems simply like a bug in safe_mode. True. I forgot about using it a long time ago.. safe_mode is not a bad idea, but the way it's implemented really IS.. :( Franz Georg Khler wrote: Hello, it is widely known that safe_mode is not really safe. You might want to restrict access with open_basedir . I think open_basedir is far better and safer that the whole safe_mode thing.. The most secure solution is still to install php's cgi executable in an suexec environment. I agree with this, but its not applicable on boxes with heavy load.. CGI cannot meet the speed of php apache module.. Maybe with FastCGI, but I haven't tried yet.. -- regards, = michal panoch - linux admin = [EMAIL PROTECTED] = gpg fp: 816b be10 99cf 159b 8e1a 4648 ad7a 9df2 de4e c6f4 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [PHP] safe mode bug ?
On Sun, Jun 06, 2004 at 03:03:00PM +0200, Andreas John wrote: Hi! There are 2.5 possibilities that make sense. a.) mod_suphp [Any volunteers to put that into debian tree??:-)] www.suphp.org I've got preliminary packages for it (with an ITP). I'm going to put it somewhere and I'm able to give it to any DD for integration in debian. -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com
Re: [PHP] safe mode bug ?
Robert Hensel [EMAIL PROTECTED] writes: Hi, I understand that there are a lot of solutions to make PHP more safe. And of course,I don't see safe_mode as _the_ solution. But I definetly consider it to be a good extra protection, just like basedir restrictions, and the problem I described seems simply like a bug in safe_mode. True. I forgot about using it a long time ago.. safe_mode is not a bad idea, but the way it's implemented really IS.. :( Franz Georg Khler wrote: Hello, it is widely known that safe_mode is not really safe. You might want to restrict access with open_basedir . I think open_basedir is far better and safer that the whole safe_mode thing.. The most secure solution is still to install php's cgi executable in an suexec environment. I agree with this, but its not applicable on boxes with heavy load.. CGI cannot meet the speed of php apache module.. Maybe with FastCGI, but I haven't tried yet.. -- regards, = michal panoch - linux admin = [EMAIL PROTECTED] = gpg fp: 816b be10 99cf 159b 8e1a 4648 ad7a 9df2 de4e c6f4
[PHP] safe mode bug ?
Hi,
I came upon a strange problem when trying to list directory's in safe
mode as a normal user. Of course I expected this not to work, because
safe_mode disables the possibility of reading files that not belong to
the owner of the PHP-file. However, it does not seem to check for
directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning
about safe_mode (as seen below) but then nicely lists the directory :(
This means any user can just browse through any dir. on my system. PHP
obviously still obeys UNIX file permissions so i could tighten up those,
and enable basedir restrictions and stuff, but it looks to me that this
is just a (major) bug ?
The php script
?
$file = '/etc';
if ($handle = opendir($file))
{
chdir($file);
while (false !== ($file = readdir($handle)))
{
if(is_dir($file))
{
echo DIR:$filebr;
}
else
{
echo FILE:$filebr;
}
}
closedir($handle);
}
?
*Warning*: SAFE MODE Restriction in effect. The script whose uid is
1059 is not allowed to access /etc owned by uid 0 in
*/home/robert/hensel.nl/robert/www/test_dir.php* on line *5*
DIR:.
DIR:..
FILE:modutils
FILE:ssh
FILE:init.d (goes on)
phpinfo:
safe_mode:OnOn
safe_mode_exec_dir:no valueno value
safe_mode_gid:OffOff
safe_mode_include_dir:no valueno value
thanks in advance for any thoughts about this.
--
Robert Hensel
E: [EMAIL PROTECTED]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This email and any attachment is intended for the
addressee only. If you are not the addressee, you
are notified that no part of the email or any
attachment may be disclosed, copied or distributed,
and that any other action related to this email or
attachment is strictly prohibited, and may be unlawful.
If you are not the addressee, please notify the sender
immediately by return email, and delete this message.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [PHP] safe mode bug ?
On So, Jun 06, 2004 at 02:36:13 +0200, Robert Hensel [EMAIL PROTECTED] wrote: Hi, I came upon a strange problem when trying to list directory's in safe mode as a normal user. Of course I expected this not to work, because safe_mode disables the possibility of reading files that not belong to the owner of the PHP-file. However, it does not seem to check for directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning about safe_mode (as seen below) but then nicely lists the directory :( This means any user can just browse through any dir. on my system. PHP obviously still obeys UNIX file permissions so i could tighten up those, and enable basedir restrictions and stuff, but it looks to me that this is just a (major) bug ? Hello, it is widely known that safe_mode is not really safe. You might want to restrict access with open_basedir . The most secure solution is still to install php's cgi executable in an suexec environment. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [PHP] safe mode bug ?
Hi! There are 2.5 possibilities that make sense. a.) mod_suphp [Any volunteers to put that into debian tree??:-)] www.suphp.org b.) Run php as cgi and attach she-bang (#!/path/to/pgp-cgi) c.) Run php as cgi and teach the environment to treat .php files like binaries with the binfmt kernel module Personally I did not decide wether to take a.) or c.) ... Rgds, Andreas Franz Georg Khler wrote: On So, Jun 06, 2004 at 02:36:13 +0200, Robert Hensel [EMAIL PROTECTED] wrote: Hi, I came upon a strange problem when trying to list directory's in safe mode as a normal user. Of course I expected this not to work, because safe_mode disables the possibility of reading files that not belong to the owner of the PHP-file. However, it does not seem to check for directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning about safe_mode (as seen below) but then nicely lists the directory :( This means any user can just browse through any dir. on my system. PHP obviously still obeys UNIX file permissions so i could tighten up those, and enable basedir restrictions and stuff, but it looks to me that this is just a (major) bug ? Hello, it is widely known that safe_mode is not really safe. You might want to restrict access with open_basedir . The most secure solution is still to install php's cgi executable in an suexec environment. -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net
Re: [PHP] safe mode bug ?
Hi, I understand that there are a lot of solutions to make PHP more safe. And of course,I don't see safe_mode as _the_ solution. But I definetly consider it to be a good extra protection, just like basedir restrictions, and the problem I described seems simply like a bug in safe_mode. Franz Georg Khler wrote: Hello, it is widely known that safe_mode is not really safe. You might want to restrict access with open_basedir . The most secure solution is still to install php's cgi executable in an suexec environment. -- Robert Hensel E: [EMAIL PROTECTED] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This email and any attachment is intended for the addressee only. If you are not the addressee, you are notified that no part of the email or any attachment may be disclosed, copied or distributed, and that any other action related to this email or attachment is strictly prohibited, and may be unlawful. If you are not the addressee, please notify the sender immediately by return email, and delete this message. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [PHP] safe mode bug ?
Andreas John [EMAIL PROTECTED] writes: Hi! There are 2.5 possibilities that make sense. a.) mod_suphp [Any volunteers to put that into debian tree??:-)] www.suphp.org b.) Run php as cgi and attach she-bang (#!/path/to/pgp-cgi) c.) Run php as cgi and teach the environment to treat .php files like binaries with the binfmt kernel module Personally I did not decide wether to take a.) or c.) ... When you run as cgi, with suexec, you need also to have a chmod +x, and good group and owner. So it seems to be a pain in the begin but after you're happy to have something really secure. -- William - http://flibuste.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[PHP] safe mode bug ?
Hi,
I came upon a strange problem when trying to list directory's in safe
mode as a normal user. Of course I expected this not to work, because
safe_mode disables the possibility of reading files that not belong to
the owner of the PHP-file. However, it does not seem to check for
directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning
about safe_mode (as seen below) but then nicely lists the directory :(
This means any user can just browse through any dir. on my system. PHP
obviously still obeys UNIX file permissions so i could tighten up those,
and enable basedir restrictions and stuff, but it looks to me that this
is just a (major) bug ?
The php script
?
$file = '/etc';
if ($handle = opendir($file))
{
chdir($file);
while (false !== ($file = readdir($handle)))
{
if(is_dir($file))
{
echo DIR:$filebr;
}
else
{
echo FILE:$filebr;
}
}
closedir($handle);
}
?
*Warning*: SAFE MODE Restriction in effect. The script whose uid is
1059 is not allowed to access /etc owned by uid 0 in
*/home/robert/hensel.nl/robert/www/test_dir.php* on line *5*
DIR:.
DIR:..
FILE:modutils
FILE:ssh
FILE:init.d (goes on)
phpinfo:
safe_mode:OnOn
safe_mode_exec_dir:no valueno value
safe_mode_gid:OffOff
safe_mode_include_dir:no valueno value
thanks in advance for any thoughts about this.
--
Robert Hensel
E: [EMAIL PROTECTED]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This email and any attachment is intended for the
addressee only. If you are not the addressee, you
are notified that no part of the email or any
attachment may be disclosed, copied or distributed,
and that any other action related to this email or
attachment is strictly prohibited, and may be unlawful.
If you are not the addressee, please notify the sender
immediately by return email, and delete this message.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Re: [PHP] safe mode bug ?
On So, Jun 06, 2004 at 02:36:13 +0200, Robert Hensel [EMAIL PROTECTED] wrote: Hi, I came upon a strange problem when trying to list directory's in safe mode as a normal user. Of course I expected this not to work, because safe_mode disables the possibility of reading files that not belong to the owner of the PHP-file. However, it does not seem to check for directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning about safe_mode (as seen below) but then nicely lists the directory :( This means any user can just browse through any dir. on my system. PHP obviously still obeys UNIX file permissions so i could tighten up those, and enable basedir restrictions and stuff, but it looks to me that this is just a (major) bug ? Hello, it is widely known that safe_mode is not really safe. You might want to restrict access with open_basedir . The most secure solution is still to install php's cgi executable in an suexec environment.
Re: [PHP] safe mode bug ?
Hi! There are 2.5 possibilities that make sense. a.) mod_suphp [Any volunteers to put that into debian tree??:-)] www.suphp.org b.) Run php as cgi and attach she-bang (#!/path/to/pgp-cgi) c.) Run php as cgi and teach the environment to treat .php files like binaries with the binfmt kernel module Personally I did not decide wether to take a.) or c.) ... Rgds, Andreas Franz Georg Khler wrote: On So, Jun 06, 2004 at 02:36:13 +0200, Robert Hensel [EMAIL PROTECTED] wrote: Hi, I came upon a strange problem when trying to list directory's in safe mode as a normal user. Of course I expected this not to work, because safe_mode disables the possibility of reading files that not belong to the owner of the PHP-file. However, it does not seem to check for directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning about safe_mode (as seen below) but then nicely lists the directory :( This means any user can just browse through any dir. on my system. PHP obviously still obeys UNIX file permissions so i could tighten up those, and enable basedir restrictions and stuff, but it looks to me that this is just a (major) bug ? Hello, it is widely known that safe_mode is not really safe. You might want to restrict access with open_basedir . The most secure solution is still to install php's cgi executable in an suexec environment. -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net
Re: [PHP] safe mode bug ?
Hi, I understand that there are a lot of solutions to make PHP more safe. And of course,I don't see safe_mode as _the_ solution. But I definetly consider it to be a good extra protection, just like basedir restrictions, and the problem I described seems simply like a bug in safe_mode. Franz Georg Khler wrote: Hello, it is widely known that safe_mode is not really safe. You might want to restrict access with open_basedir . The most secure solution is still to install php's cgi executable in an suexec environment. -- Robert Hensel E: [EMAIL PROTECTED] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This email and any attachment is intended for the addressee only. If you are not the addressee, you are notified that no part of the email or any attachment may be disclosed, copied or distributed, and that any other action related to this email or attachment is strictly prohibited, and may be unlawful. If you are not the addressee, please notify the sender immediately by return email, and delete this message. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
