Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 150260 - dev-lang/php - open_basedir race condition
Summary: dev-lang/php - open_basedir race condition
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: PHP Bugs
URL: http://www.hardened-php.net/advisory_...
Whiteboard:
Keywords:
Depends on: 167028
Blocks:
  Show dependency tree
 
Reported: 2006-10-06 06:06 UTC by Carsten Lohrke (RETIRED)
Modified: 2007-03-05 17:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-10-06 06:06:59 UTC 
PHP's open_basedir feature is meant to disallow scripts to access
   files outside a set of configured base directories. The checks
   for this are placed within PHP functions dealing with files before
   the actual open call is performed.
   
   Obviously there is a little span of time between the check and the 
   actual open call. During this time span the checked path could
   have been altered and point to a file that is forbidden to be
   accessed due to open_basedir restrictions.
   
   Because the open_basedir restrictions often not call PHP functions
   but 3rd party library functions to actually open the file it is
   impossible to close this time span in a general way. It would only
   be possible to close it when PHP handles the actual opening on it's
   own.

   While it seems hard to change the path during this little time span
   it is very simple with the use of the symlink() function combined
   with a little trick. PHP's symlink() function ensures that source
   and target of the symlink operation are allowed by open_basedir
   restrictions (and safe_mode). However it is possible to point a
   symlink to any file by the use of mkdir(), unlink() and at least 
   two symlinks.


http://www.hardened-php.net/advisory_082006.132.html
Comment 1 Sebastian Bergmann (RETIRED) gentoo-dev 2006-10-07 08:58:06 UTC 
I do not think that there is anything we can do about this, apart from either enabling Suhosin by default or disabling the symlink() function by default.
Comment 2 Luca Longinotti (RETIRED) gentoo-dev 2006-10-07 10:59:44 UTC 
Reassigning to us only because security doesn't handle safe_mode/open_basedir bypasses...

(In reply to comment #1)
> apart from either enabling Suhosin by default

Won't happen, we'll use this bug to quicken introduction of Suhosin a little in the tree, but it will always be only an additional option.

> disabling the symlink() function by default.

As upstream won't do this, we won't too (stay close to upstream paradigm).
I also have no idea of how many things this would break... And well, open_basedir is not something you should rely on for security, good old Unix permissions still do a much better work of granting or denying access to stuff. ;)
Best regards, CHTEKK.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-17 23:50:00 UTC 
i think this issue is fixed in 4.4.5, see bug 167028
Comment 4 Luca Longinotti (RETIRED) gentoo-dev 2007-03-05 17:59:04 UTC 
Suhosin is in the tree and will be stabled soon, see bug 153911 for progress.
Best regards, CHTEKK.