Re: [SECURITY] [DSA 1550-1] New suphp packages fix local privilege escalation
Hi, Adrian Minta wrote: > > Try apache2-mpm-itk. Is better than suphp IMHO ! I saw it, but its description reads "Please note that this MPM is highly experimental, and is not from the same tree as the other MPMs.", so I did not consider using it on a production server. For what it's worth, libapache2-mod-suphp has no such disclaimer, so I considered it safer to use. Anyway, I don't think a security update should break existing setups like this one did. Cheers, Nicolas Boullis, slightly disappointed PS: sorry Adrian for the duplicate message, I did not intend to send this message privately to you. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1550-1] New suphp packages fix local privilege escalation
Hi Nicolas, * Nicolas Boullis <[EMAIL PROTECTED]> [2008-04-28 18:10]: [...] > > It was discovered that suphp, an Apache module to run PHP scripts with > > owner permissions handles symlinks insecurely, which may lead to > > privilege escalation by local users. > > I upgraded the package as suggested, but it broke my setup. > > For what it's worth, I have a virtualhost whose documentroot is > /var/www/foo. > That directory is owned by user foo. > Under this one, I have a directory /var/www/foo/bar, that contains a > script index.php, both being owned by user bar. > (This web site is composed of several branches, managed by different > people.) YFYI there is a bug about that: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477646 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpgHfmJ8EgJM.pgp Description: PGP signature
Re: [SECURITY] [DSA 1550-1] New suphp packages fix local privilege escalation
Nicolas Boullis wrote: Hi, Moritz Muehlenhoff wrote: Debian Security Advisory DSA-1550-1 [EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff April 17, 2008http://www.debian.org/security/faq Package: suphp Vulnerability : programming error Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-1614 Debian Bug : 475431 It was discovered that suphp, an Apache module to run PHP scripts with owner permissions handles symlinks insecurely, which may lead to privilege escalation by local users. I upgraded the package as suggested, but it broke my setup. For what it's worth, I have a virtualhost whose documentroot is /var/www/foo. That directory is owned by user foo. Under this one, I have a directory /var/www/foo/bar, that contains a script index.php, both being owned by user bar. (This web site is composed of several branches, managed by different people.) With the new suphp, apache refuses to serve /var/www/foo/bar/index.php because /var/www/foo is not owned by the script's owner. Looking at the diff between 0.6.2-1 and 0.6.2-1+etch0, it looks like the new suPHP::Application::checkParentDirectories function is responsible for this new behaviour. Since, my setup involves no symlink at all, I think this check exceeds what is required to fix the security flaw. Would it be possible to fix this behaviour? Cheers, Nicolas Boullis Try apache2-mpm-itk. Is better than suphp IMHO ! -- Best regards, Adrian Minta -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1550-1] New suphp packages fix local privilege escalation
Hi, Moritz Muehlenhoff wrote: > > Debian Security Advisory DSA-1550-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Moritz Muehlenhoff > April 17, 2008http://www.debian.org/security/faq > > > Package: suphp > Vulnerability : programming error > Problem type : local > Debian-specific: no > CVE Id(s) : CVE-2008-1614 > Debian Bug : 475431 > > It was discovered that suphp, an Apache module to run PHP scripts with > owner permissions handles symlinks insecurely, which may lead to > privilege escalation by local users. I upgraded the package as suggested, but it broke my setup. For what it's worth, I have a virtualhost whose documentroot is /var/www/foo. That directory is owned by user foo. Under this one, I have a directory /var/www/foo/bar, that contains a script index.php, both being owned by user bar. (This web site is composed of several branches, managed by different people.) With the new suphp, apache refuses to serve /var/www/foo/bar/index.php because /var/www/foo is not owned by the script's owner. Looking at the diff between 0.6.2-1 and 0.6.2-1+etch0, it looks like the new suPHP::Application::checkParentDirectories function is responsible for this new behaviour. Since, my setup involves no symlink at all, I think this check exceeds what is required to fix the security flaw. Would it be possible to fix this behaviour? Cheers, Nicolas Boullis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]