A really weird problem with mod_php-4.4.0 was reported to me on IRC by a Gentoo user: mod_php-4.4.0 does not obey safe mode restrictions and happily includes /etc/hostname. But it properly FAILS to include /etc/hosts or other files, so this issue seems *filename* specific. Reproducible: Always Steps to Reproduce: 1. Setup mod_php-4.4.0 with safe mode ON and open_basedir which does NOT include /etc and reload apache. 2. Create this test.php file and open in browser: <? echo 'include "/etc/hostname"'; include "/etc/hostname"; echo 'include "/etc/hosts"'; include "/etc/hosts"; phpinfo(); ?> Actual Results: See http://orion.souepl.cz:8080/a/ 1. mod_php does not obey safe mode restrictions and happily includes /etc/hostname. But it properly FAILS to include /etc/hosts or other files so it seems *filename* specific. 2. This problem does NOT manifest itself in CLI with identical configuration file - i.e. something like '/usr/bin/php test.php' 3. This problem also disappears if you compile mod_php manually, so it seems Gentoo ebuild specific. 4. I tested on 4.3.11 and mod_php-5.1.0_beta-r2 *from portage* and there is no such problem as well. 5. There may be other filenames exhibiting this problem, but I failed to find them so far. Expected Results: mod_php-4.4.0 should always obey safe mode, open_basedir and other restrictions for every filename.
Created attachment 63447 [details] php.ini mod_php/CLI
Created attachment 63448 [details] emerge --info
When I open the URL you gave I get the output shown below. From this I cannot see that something is wrong: include "/etc/hostname" => Warning: main(): open_basedir restriction in effect. File(/etc/hostname) is not within the allowed path(s): (/var/www/localhost/htdocs) in /var/www/localhost/htdocs/a/index.php on line 3 Warning: main(/etc/hostname): failed to open stream: Operation not permitted in /var/www/localhost/htdocs/a/index.php on line 3 Warning: main(): Failed opening '/etc/hostname' for inclusion (include_path='.:/usr/lib/php') in /var/www/localhost/htdocs/a/index.php on line 3 include "/etc/hosts" => Warning: main(): open_basedir restriction in effect. File(/etc/hosts) is not within the allowed path(s): (/var/www/localhost/htdocs) in /var/www/localhost/htdocs/a/index.php on line 6 Warning: main(/etc/hosts): failed to open stream: Operation not permitted in /var/www/localhost/htdocs/a/index.php on line 6 Warning: main(): Failed opening '/etc/hosts' for inclusion (include_path='.:/usr/lib/php') in /var/www/localhost/htdocs/a/index.php on line 6
(In reply to comment #3) > When I open the URL you gave I get the output shown below. From this I cannot > see that something is wrong: Sebastian, if I did not see the problem on my own eyes refreshing browser windows quite a few time, I would not believe this either. :) The problem vanished after: mv /etc/hostname /etc/hostname.old && mv /etc/hostname.old /etc/hostname Go figure... *really confused*
Created attachment 63452 [details] screenshot of the bug
Created attachment 63453 [details] portage based php emerge php mod_php
Created attachment 63454 [details] source based php for apache ./configure --prefix=/opt/apache2 --enable-so && make && make install for php ./configure --prefix=/opt/php --with-apxs2=/opt/apache2/bin/apxs && make && make install cp php.ini-dist /opt/php/lib/php.ini in php.ini enabled safe_mode as in original php.ini from portage. the some configuration
the original portage apache/php is on http://orion.souepl.cz:8080/a/ the source apache/php is on http://orion.souepl.cz:8081/a/
problem #2 portage apache 2.0.54-r8 doesn't work with php 4.4.0 and with original source php 4.4.0 too. in the php scripts can be included files with another uid index.php apache:apache test.txt root:root <? include "text.txt"; ?> doesn't work with php 4.4.0 in safe mode in apache source, which i compile from original source without portage patches and then started with portage mod_php and again with mod_php from original php sources, all passed good. the php server cann't include the scripts with of other user :) or scipts with other uid. the safe_mode is working :) index.php apache:apache test.txt root:root <? include "text.txt"; ?> work correctly with php 4.4.0 in safe mode
I was able to verify problem described in comments #6 and following with mod_php-5.1.0_beta-r2 and apache-2.0.54-r12 as well. 1/ # ls -la | grep test -rw-r--r-- 1 root root 158 Jul 15 12:58 test.php -rw-r--r-- 1 apache apache 135 Jul 15 13:01 test.txt results in: Warning: main() [function.main]: SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to access ./test.txt owned by uid 81 in /var/www/localhost/htdocs/test.php on line 6 Warning: main(./test.txt) [function.main]: failed to open stream: Not a directory in /var/www/localhost/htdocs/test.php on line 6 Warning: main() [function.include]: Failed opening './test.txt' for inclusion (include_path='.:/usr/share/php') in /var/www/localhost/htdocs/test.php on line 6 2/ # ls -la | grep test -rw-r--r-- 1 apache apache 158 Jul 15 12:58 test.php -rw-r--r-- 1 root root 135 Jul 15 13:01 test.txt results in successful include. Seems like we have a major problem with apache. :/
the portage apache 2.0.54 daemon with portage php is running on http://orion.souepl.cz:8080/a/ and the second instance of source compiled apache 2.0.54 on http://orion.souepl.cz:8081/a/ The source compiled apache was also tested with mod_php which is running on port 8080
Apache herd, any hint ?
I have been trying to reproduce this in a chroot, but I haven't been able to, so I'm hoping the people who can reproduce will provide us more information. Do you have any USE-flags for mod_php, php, or apache set in /etc/portage/package.use? Can you run a strace on the requests? (Might as well do one on the working one as well as the buggy one, to compare the two) to do a strace with apache, add -X to the command line for example, in my trying to reproduce this, I used: strace /usr/sbin/apache2 -X -k start -D PHP4 I would also test it using telnet instead of a web browser. The request should take the form: GET /test.php HTTP/1.1 Host: localhost Connection: close
(In reply to comment #13) > Do you have any USE-flags for mod_php, php, or apache set in > /etc/portage/package.use? No. If it helps, here are the flags used: emerge -pv apache mod_php php These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] net-www/apache-2.0.54-r8 +berkdb -doc +gdbm +ipv6 -ldap (-selinux) +ssl -static -threads 0 kB [ebuild R ] dev-php/mod_php-4.4.0 +X +apache2 +berkdb +crypt +curl -debug -doc -fdftk -firebird -flash -freetds +gd -gd-external +gdbm -gmp -hardenedphp +imap -informix +ipv6 -java +jpeg -kerberos -ldap -mcal -memlimit -mssql +mysql +nls -oci8 -odbc +pam +png -postgres -snmp +spell +ssl +tiff +truetype +xml2 -yaz 0 kB [ebuild R ] dev-php/php-4.4.0 +X +berkdb +crypt +curl -debug -doc -fdftk -firebird -flash -freetds +gd -gd-external +gdbm -gmp -hardenedphp +imap -informix +ipv6 -java +jpeg -kerberos -ldap -mcal -memlimit -mssql +mysql +ncurses +nls -oci8 -odbc +pam +png -postgres +readline -snmp +spell +ssl +tiff +truetype +xml2 -yaz 0 kB > Can you run a strace on the requests? (Might as well do one on the working one > as well as the buggy one, to compare the two) Will do later. > I would also test it using telnet instead of a web browser. The request should > take the form: > > GET /test.php HTTP/1.1 > Host: localhost > Connection: close Same result as shown in the report above: 1/ apache2 from portage: # telnet localhost 80 >& test1.log GET /a/index.php HTTP/1.1 Host: localhost Connection: close Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. HTTP/1.1 200 OK Date: Tue, 19 Jul 2005 06:45:47 GMT Server: Apache/2.0.54 (Gentoo/Linux) mod_ssl/2.0.54 OpenSSL/0.9.7e DAV/2 PHP/4.4.0 X-Powered-By: PHP/4.4.0 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=ISO-8859-1 X-Pad: avoid browser bug 20a1 include file with other uid from portage sources....<br>index.php apache:apache<br>file.txt root:root<hr>hello world...<hr><!DOCTYPE html PUB LIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> --- 2/ apache2 compiled manually: # telnet localhost 8080 >& test2.log GET /a/index.php HTTP/1.1 Host: localhost Connection: close Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. HTTP/1.1 200 OK Date: Tue, 19 Jul 2005 06:46:58 GMT Server: Apache/2.0.54 (Unix) PHP/4.4.0 X-Powered-By: PHP/4.4.0 Connection: close Transfer-Encoding: chunked Content-Type: text/html 2294 include file with other uid from original sources....<br>index.php apache:apache<br>file.txt root:root<hr><br /> <b>Warning</b>: main(): SAFE MODE Restriction in effect. The script whose uid is 81 is not allowed to access ./file.txt owned by uid 0 in < b>/opt/apache2/htdocs/a/index.php</b> on line <b>6</b><br /> <br /> <b>Warning</b>: main(file.txt): failed to open stream: Resource temporarily unavailable in <b>/opt/apache2/htdocs/a/index.php</b> on line <b >6</b><br /> <br /> <b>Warning</b>: main(): Failed opening 'file.txt' for inclusion (include_path='.:/opt/php/lib/php') in <b>/opt/apache2/htdocs/a/index.php</b > on line <b>6</b><br />
Created attachment 63754 [details] strace of apache2 from portage 'strace -ostrace1.log /usr/sbin/apache2 -X -k start -D PHP4' and load index.php file from browser
Created attachment 63755 [details] strace of apache2 compiled manually 'strace -ostrace2.log /opt/apache2/bin/httpd -X -k start -D PHP' and load index.php file from browser
I was hoping for a strace of the including /etc/hostname but not /etc/hosts to see how it's treating those two files differently. Also, there are far too many differences between your portage-compiled and source-compiled apache and mod_php, can you make sure your source-compiled is using the same modules and configurations? === > I would also test it using telnet instead of a web browser. The request should > take the form: > > GET /test.php HTTP/1.1 > Host: localhost > Connection: close Same result as shown in the report above: === The point of this wasn't as another way to reproduce it, but to make the strace cleaner. Browsers leave the connection open and run other requests on the same connection. Browsers also tend to request favicon.ico.
(In reply to comment #17) > I was hoping for a strace of the including /etc/hostname but not /etc/hosts to > see how it's treating those two files differently. Scratch that part of the bug report; as stated in comment #4, it suddenly went away after renaming the file back and forth and cannot be reproduced any more, so I have no clue what caused that. The problem w/ apache:apache owned php script including root:root owned files persists and can be reproduced every time. > Also, there are far too many differences between your portage-compiled and > source-compiled apache and mod_php, can you make sure your source-compiled is > using the same modules and configurations? I can comment out the other modules in apache version from portage, will try that tomorrow, but as I see in the strace log, it happily includes that file: xyZw("/var/www/localhost/htdocs/a/file.txt", O_RDONLY) = 9 fstat64(9, {st_mode=S_IFREG|0644, st_size=14, ...}) = 0 fstat64(9, {st_mode=S_IFREG|0644, st_size=14, ...}) = 0 lseek(9, 0, SEEK_CUR) = 0 lseek(9, 0, SEEK_SET) = 0 read(9, "hello world...", 8192) = 14 read(9, "", 8192) = 0 close(9) = 0
Any news on this one?
In my tests: apache-2.0.52-r1 or 2.0.54-r8, mod_php 4.4.0 -rw-r--r-- 1 apache apache 26 Jul 29 10:21 text.php -rw-r--r-- 1 root root 17 Jul 29 10:21 text.txt --> include of text.txt from text.php is forbidden by way of safe mode So my results differ.
This needs more confirmation, as I can't reproduce and the maintainer can't either... Setting it to Auditing.
Reassigning to php herd, the security team does not usually process safe_mode bugs. http://www.php.net/security-note.php
dev-php/php, dev-php/mod_php, and dev-php/php-cgi have been replaced by dev-lang/php. Please upgrade (following the guide at http://svn.gnqs.org/projects/gentoo-php-overlay/file/docs/php-upgrading.html?format=raw) to the new-style PHP package and open a new bug if the problem persists. Thank you.
