[PHP] Re: unlink security problem

Wed, 17 Apr 2002 01:16:34 -0700 

If you care about this problem, upgrade to 4.2.0 when
it's available.

--
Yasuo Ohgaki


Patrick Cossette wrote:
> I'm running PHP 4.1.2 as an Apache module (Apache 1.3.24) under AIX 4.3.3.
> 
> My problem has been covered in Bug #13447 but I still have it and the bug
> was under Windows 2000 but I'm running AIX. It's a security
> problem with "unlink". My site runs as the user "web" but different parts of
> my site are modified by different developpers. Since all
> files are owned by "web", I set up an open_basedir so each developper is
> limited to make file operations on his directory-tree. My
> problem is that this setup does not prevent unlinking, which means that one
> can delete files that are not under his directory-tree, and
> I do not want that. With the following setup, fopen and include are
> restricted by openbasedir, which is good. But one can unlink a file
> even if it's not under his directory-tree. I have the following in
> httpd.conf:
> 
> <Directory "/u/uq/web/www.uqtr.ca/">
> Options Indexes Includes FollowSymLinks
> AllowOverride None
> Order allow,deny
> Allow from all
>    <IfModule mod_php4.c>
>       AddType application/x-httpd-php .php
>       php_flag engine on
>       php_admin_value safe_mode 1
>       php_admin_value safe_mode_exec_dir "/u/uq/web/www.uqtr.ca/"
>       php_admin_value doc_root "/u/uq/web/www.uqtr.ca/"
>       php_admin_value open_basedir "/u/uq/web/www.uqtr.ca/"
>       php_admin_value user_dir "/u/uq/web/www.uqtr.ca/"
>    </IfModule>
> </Directory>
> 
> 
> The file testerase.php is in /u/uq/web/www.uqtr.ca and contains this:
> 
> <?php
> include ('/u/uq/web/entete.uqtr.ca/file_to_include');  // THE INCLUDE DOES NOT WORK: 
>IT'S RESTRICTED BY OPEN_BASEDIR AND I'M GLAD
> unlink ('/u/uq/web/entete.uqtr.ca/file_to_delete');  // THE UNLINK WORKS: NO 
>RESTRICTION AT ALL AND I'M UNHAPPY
> ?>
> 
> I need help. Is it possible to bypass file deletion permission and restrict
> the directories in which to unlink?
> 
> Thanks,
> 
> Patrick
> [EMAIL PROTECTED]
> 
> 
> 
> 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to