Edit report at https://bugs.php.net/bug.php?id=52312&edit=1
ID: 52312
Comment by: Terry at ellisons dot org dot uk
Reported by: v dot damore at gmail dot com
Summary: PHP safe_mode/open_basedir - lstat performance
problem
Status: Analyzed
Type: Bug
Package: Safe Mode/open_basedir
Operating System: Linux
PHP Version: 5.2.13
Block user comment: N
Private report: N
New Comment:
This bug is extant in 5.3 and 5.4 (up to 5.4.9). The flaw is the logic in
main/main.c:php_module_startup():
/* Disable realpath cache if safe_mode or open_basedir are set */
if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) {
CWDG(realpath_cache_size_limit) = 0;
}
Similar logic validly exists in code such as suEXEC and suPHP to prevent a race
condition allowing and unscrupulous script author to execute a script in
another UID in certain circumstances. This simply doesn't apply in this case.
Which technically a similar race could allow a script author to break the
basedir contain with miniscule probability by exploiting such a race, the
performance impacts are significant, for no material increase in security
strength. Get rid of this rule or at least split open_basedir into two
separate directives open_basedir_paranoid which disables the cache as above and
open_basedir which does the rational checks and doesn't disable the cache.
This has been lying around for nearly 3 years. How can we progress this?
Previous Comments:
------------------------------------------------------------------------
[2012-07-31 20:00:48] marcin at 6irc dot net
How about having concurrent cache tables for each basedir setting? For
instance, when open_basedir is set to '/home/teh1234;/tmp', then the lstat
populates only cache table "0", realpath_cache_* also uses exclusively this
cache, and when open_basedir is set to '/home/klaczy;/tmp' then it populates
and uses only cache table "1"? Are there any security considerations that I
don't notice here?
------------------------------------------------------------------------
[2011-08-16 18:52:34] spam2 at rhsoft dot net
> Caching open_basedir stats is insecure
not really because the permissions are not changed the whole day
------------------------------------------------------------------------
[2011-07-03 21:21:21] [email protected]
I really don't see a middle ground here. You are either secure or you aren't.
Caching open_basedir stats is insecure and the whole point of open_basedir in a
shared hosting setup is to secure these file accesses. If you don't care about
security, turn it off and live with the security issue, or better yet, change
your shared hosting setup to use VMs or other lower-level strategies that keep
users separated from each other.
------------------------------------------------------------------------
[2011-07-03 20:24:57] css at morefoo dot com
Hello,
Not much more than a "me too", sorry. Is there any plan in the works to make
php
both safe in a mass hosting setup as well as not take a big performance hit
when
running webapps with a large number of "require" and "include" functions? I'm
running php 5.3.6 and still seeing a huge amount of cpu time spent in "system"
on
common web apps like Joomla, Drupal and C5. Not seeing a clear solution that
works well on a shared hosting setup.
------------------------------------------------------------------------
[2011-06-02 15:01:13] aargoth at boo dot pl
You can simply use this PHP extension to bypass default security checks
mentioned in comments above.
http://php.webtutor.pl/en/2011/06/02/running-php-on-nfs-huge-performance-problems-and-one-simple-solution/
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=52312
--
Edit this bug report at https://bugs.php.net/bug.php?id=52312&edit=1
