Currently php and mod_php has POSIX functions available by default. This is a potential security risk. POSIX functions can retrieve sensitive information, also avoiding safe_mode handling. Here is snip from php.net: Sensitive data can be retrieved with the POSIX functions, e.g. posix_getpwnam() and friends. None of the POSIX function perform any kind of access checking when safe mode is enabled. It's therefore strongly advised to disable the POSIX extension at all (use --disable-posix in your configure line) if you're operating in such an environment. Here is a php script example: <? var_dump(posix_getpwnam('apache')); ?> Reproducible: Always Steps to Reproduce: 1.create script listed in details (pick a user for example) 2.execute script 3.view information about the user Actual Results: Potential information leak. Above example would ouput the following: array(7) { ["name"]=> string(6) "apache" ["passwd"]=> string(1) "x" ["uid"]=> int(81) ["gid"]=> int(81) ["gecos"]=> string(6) "apache" ["dir"]=> string(11) "/home/httpd" ["shell"]=> string(10) "/bin/false" } Expected Results: with --disable-posix the output to the screen should have said: Fatal Error: Call to undefined function: posix_getpwnam() in /var/www/localhost/htdocs/test.php on line 2 I was able to manually disable this configuration flag by editting the php-sapi.eclass file. Not sure how to preserve the changes. The PORTDIR_OVERLAY option in make.conf did not seem to look at my eclass in /usr/local/portage/eclass/php-sapi.eclass. Is there way to achieve this?
Robin, please advise.
a number of webapps use the posix extensions to get user information on purpose. (and then have pam linkage to authenticate). They just go ahead and use them because they are in the defaults of PHP and so they expect them to be there. If you are entirely paranoid with your safe mode, just put the names of the functions that you consider dangerous into disable_functions. Or run apache in a chroot/jail with a minimal set of nss data. I'm not disabling the posix functions by default because they are used by webapps. If and when portage gets the ability to properly DEPEND on a package being built with a certain set of use flags, PHP will become a lot more minimal. If you are so paranoid that your users might use the posix functions to do evil, there is a lot worse stuff they can do. Read the recent note by the PHP folks: http://www.php.net/security-note.php My opinion on this is WONTFIX/LATER.
Hello Thank you for your reponse. I'm not paranoid of my users, and I have read the content at: http://www.php.net/security-note.php.... But I'm also reading the warning here: http://us2.php.net/manual/en/ref.posix.php [QUOTE] Sensitive data can be retrieved with the POSIX functions, e.g. posix_getpwnam() and friends. None of the POSIX function perform any kind of access checking when safe mode is enabled. It's therefore strongly advised to disable the POSIX extension at all (use --disable-posix in your configure line) if you're operating in such an environment. [END QUOTE] I'm primarily concerned with misconfigured apps (ie: phpBB, phpNuke, Phorum) that may allow exploitation of these functions (has happened.. and will happen again). I just wanted to put this idea out there. Example unsuccessful attack script (captured via snort) to phorum ################################### Command/Safemode Exploit 4.1</DIV> <BR> <DIV STYLE="font-family: verdana; font-size: 20px; font-weight: bold; color: #F3A700;">Informa
Hello Thank you for your reponse. I'm not paranoid of my users, and I have read the content at: http://www.php.net/security-note.php.... But I'm also reading the warning here: http://us2.php.net/manual/en/ref.posix.php [QUOTE] Sensitive data can be retrieved with the POSIX functions, e.g. posix_getpwnam() and friends. None of the POSIX function perform any kind of access checking when safe mode is enabled. It's therefore strongly advised to disable the POSIX extension at all (use --disable-posix in your configure line) if you're operating in such an environment. [END QUOTE] I'm primarily concerned with misconfigured apps (ie: phpBB, phpNuke, Phorum) that may allow exploitation of these functions (has happened.. and will happen again). I just wanted to put this idea out there. Example unsuccessful attack script (captured via snort) to phorum ################################### Command/Safemode Exploit 4.1</DIV> <BR> <DIV STYLE="font-family: verdana; font-size: 20px; font-weight: bold; color: #F3A700;">Informação do Sistema</DIV> <?php // Ae galera se forem Ripar coloca pelo menos um escrito sobre o Data Cha0s closelog( ); $dono = get_current_user( ); $ver = phpversion( ); $login = posix_getuid( ); $euid = posix_geteuid( ); $gid = posix_getgid( ); if ($chdir == "") $chdir = getcwd( ); ################################### As stated in original post.. I went ahead and disabled posix via php-sapi.eclass. It would be great to have this as a USE flag option down the road. Thank you for your time and hard work
it'll be easier for you to just disable the functions you don't want using disable_functions in your ini file.
The way it is now is a reasonable default. And we can't really change it because it would break so many things. Enabling PHP *is* a risk, and you can mitigate it by using a specific hardened configuration. We *could* have a "super-hardened" flag that used together with PHP would bring up a minimal conf file, but I'm not sure it's really useful. Closing as WONTFIX, please reopen if you think you can make us change our minds :)
