Well actually, open_basedir is not *supposed* to check
UIDs. However, safe_mode *is*, and it was not for the
opendir() function. So I patched it to do so (in CVS). Also
I noticed that when the CHECKUID_ALLOW_ONLY_DIR flag is
passed to php_checkuid(), that it misses the case where you
are referring to the root directory (because the leading
slash is changed to a null, and so VCWD_STAT was being
passed a null string instead of "/" or "\\"). I fixed that
as well.
-James
On Fri, 1 Mar 2002, Chand wrote:
> hi,
>
> Just wanted to let you guys know that the php opendir() function suffers a tiny
>security risk in a multiuser environment. Say you have a server with multiple users
>having access to php. Those users Homedirs are stored in the same tree (say
>/data/users/).
>
> With the function as it is now, the user chand (/data/users/chand) would be able to
>open and watch the contents of Rasmus' Home directory (/data/users/rasmus) because
>_php_do_opendir (in ext/standard/dir.c) doesn't implement the safe_mode's
>php_checkuid function as I think it should (IMHO). It only checks the open_base_dir
>variable. But on a multiuser (multi as in thousands of thousands) environment, you
>can't honestly go that way.
>
> Hence the following patch
>
> --- ../php-4.1.0/ext/standard/dir.c Sat Aug 11 19:03:36 2001
> +++ ext/standard/dir.c Fri Mar 1 00:46:58 2002
> @@ -151,6 +151,13 @@
> if (php_check_open_basedir((*arg)->value.str.val TSRMLS_CC)) {
> RETURN_FALSE;
> }
> +
> + /* <CHAND> Added Checkuid so that we check a guy can't go see anything
>except from his directory up... */
> + if (!php_checkuid((*arg)->value.str.val, NULL, 3)) {
> + php_error(E_WARNING, "Permission denied to the directory : %s",
>(*arg)->value.str.val);
> + RETURN_FALSE;
> + }
> + /* </CHAND> */
>
> dirp = emalloc(sizeof(php_dir));
>
>
> Just tell me if I'm out of the blue here and if what i'm saying is making any sense
>to you. Almost every security issue in such an environment i had to patch in earlier
>versions of php were patched in 4.1.0 except for this one.
> If it could be from now on, it would be pretty cool :)
>
> Thanks for any comments and for taking my information into consideration. Maybe the
>patch I submitted is not the best way to do it (I don't master the php/Zend API) but
>it works fine with me.
>
> Later
>
>
>
> --
> Mark Villemade
> Hosting Services Technical Manager
> MultiMania / Lycos Europe
> (int) +33 1 53 27 24 05
>
>
>
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
