[PHP] Re: possible safe mode bug with opendir() ?
Hi again, I believe it should disallow openning a directory in safe mode if the UID of the directory does not match the UID of the PHP script. That is exactly the behavior of fopen() in safe mode. Without that behavior, users are permitted to write a PHP script that lets them crawl around the webserver seeing things they have no rights to see. It happens on our system that there will never be any files owned by user A under a directory owned by user B. But even if there were, I think safe mode should disallow this type of filesystem reading. Do you think the fact that this file reading is permitted is a bug that should be reported? A. It works like user/group permission as you know. I don't know what you want to protect :) Do you mean a script with opendir() shouldn't allow openning any directory under open_basedir if UID does not match? You can protect file basis, why do you need other protection for directories under open_basedir? Do you have good reason for this? -- Yasuo Ohgaki -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: possible safe mode bug with opendir() ?
[EMAIL PROTECTED] wrote: Hi again, I believe it should disallow openning a directory in safe mode if the UID of the directory does not match the UID of the PHP script. That is exactly the behavior of fopen() in safe mode. Without that behavior, users are permitted to write a PHP script that lets them crawl around the webserver seeing things they have no rights to see. Now I see what you want :) It happens on our system that there will never be any files owned by user A under a directory owned by user B. But even if there were, I think safe mode should disallow this type of filesystem reading. Under UNIX like systems, /tmp is world writable and everyone on the system can open dir/wirte/read files, but it's possible to secure files/directory under /tmp. I think you can apply the same. GID support also helps to allow opening files certain group. Is it not enough for your security needs? Do you think the fact that this file reading is permitted is a bug that should be reported? I think the feature that check dir UID/GID will be useful for some prople. How about submit a feature request (It's one of bug report types) BTW, you have opotion that disallow opendir at all, with disable_functions directive in php.ini -- Yasuo Ohgaki _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: possible safe mode bug with opendir() ?
Yasuo Ohgaki wrote: [EMAIL PROTECTED] wrote: It happens on our system that there will never be any files owned by user A under a directory owned by user B. But even if there were, I think safe mode should disallow this type of filesystem reading. Under UNIX like systems, /tmp is world writable and everyone on the system can open dir/wirte/read files, but it's possible to secure files/directory under /tmp. I think you can apply the same. GID support also helps to allow opening files certain group. Is it not enough for your security needs? BTW, if you get rid of read permission for a directory, directory listing is not possible under UNIX like systems. You can still read/write files with proper permission. (unlink/create files with proper permission also. You can get rid of write permission for directory, too.) Just in case, you didn't know about it :) php.ini entries like safe_mode_opendir_sid safe_mode_opendir_gid will help to improve security still. I just don't need this kind of feature, but others may need it. -- Yasuo Ohgaki _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: possible safe mode bug with opendir() ?
[EMAIL PROTECTED] wrote: When in safe mode shouldn't PHP check to see if the directory that is about to be opened with a opendir() function has the same UID as the PHP script itself, and fail if the UIDs do not match? From 4.1.0, optional GID check is available. Because in PHP 4.0.6 with safe_mode on, a PHP script owned by fred can open any directory owned by any other UID, so long as the directory is under the open_basedir. This does not seem right to me, as it allows a user in safe_mode to browse all the files on the entire webserver, looking for things he might be able to peek at with a web browser. Please advise whether this should be a bug report. Take a look at lastest implementation see if you still have issues. http://snaps.php.net/ -- Yasuo Ohgaki -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: possible safe mode bug with opendir() ?
But where user fred can opendir() a directory owned by user mary (underneath the open_basedir), that action doesn't even pass a UID check if the UIDs are supposed to match in safe mode in order for the action to be allowed. How would an optional GID check help? A. When in safe mode shouldn't PHP check to see if the directory that is about to be opened with a opendir() function has the same UID as the PHP script itself, and fail if the UIDs do not match? From 4.1.0, optional GID check is available. Take a look at lastest implementation see if you still have issues. http://snaps.php.net/ -- Yasuo Ohgaki -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: possible safe mode bug with opendir() ?
[EMAIL PROTECTED] wrote: But where user fred can opendir() a directory owned by user mary (underneath the open_basedir), that action doesn't even pass a UID check if the UIDs are supposed to match in safe mode in order for the action to be allowed. How would an optional GID check help? It may, it may not. It works like user/group permission as you know. I don't know what you want to protect :) Do you mean a script with opendir() shouldn't allow openning any directory under open_basedir if UID does not match? I think it should be allowed. It's perfectly valid to me. What if directory is owned by other user, but there is files owned by the user. Would you like to disallow to list directory? I guess not. You can protect file basis, why do you need other protection for directories under open_basedir? Do you have good reason for this? -- Yasuo Ohgaki When in safe mode shouldn't PHP check to see if the directory that is about to be opened with a opendir() function has the same UID as the PHP script itself, and fail if the UIDs do not match? From 4.1.0, optional GID check is available. Take a look at lastest implementation see if you still have issues. http://snaps.php.net/ -- Yasuo Ohgaki -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]