Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27499
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain adaniels.nl from 82.94.235.198 cause and error)
Message-ID: <45AE18E1.3040302@adaniels.nl>
Date: Wed, 17 Jan 2007 13:38:57 +0100
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: Alain Williams <addw@phcomp.co.uk>
CC: Greg Beaver <cellog@php.net>, Stanislav Malyshev <stas@zend.com>,
        Stefan Esser <sesser@hardened-php.net>, Marcus Boerger <helly@php.net>,
        internals@lists.php.net
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info> <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de> <Pine.LNX.4.64.0701141301180.32133@mail.zend.com> <45AA116F.7020109@hardened-php.net> <Pine.LNX.4.64.0701141436460.16363@mail.zend.com> <45AA961D.4090401@php.net> <45AD63A1.2040206@adaniels.nl> <20070117084600.GA19933@mint.phcomp.co.uk>
In-Reply-To: <20070117084600.GA19933@mint.phcomp.co.uk>
Content-Type: multipart/alternative;
 boundary="------------030804030304020409000208"
Subject: Re: [PHP-DEV] Comments on PHP security
From: info@adaniels.nl (Arnold Daniels)

--------------030804030304020409000208
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi again,

Yes we can share it with the world, but first it should be reviewed by 
others to see if we haven't missed anything which makes the system less 
secure instead of more. Also the source code is currently really dirty 
and specified on our situation (to little to config, mod_diffpriv also 
does mass virtual hosting, etc.).

Please send me an e-mail, if you would like to review it and I'll send 
you the source code. Again, please note that you need to patch your 
kernel for it, so you need to do it on some test server or a virtual 
machine.

Best regards,
Arnold

PS. The line in my previous mail should read: "We (not me) have written 
a kernel patch to allow switching *of the user* of the current processes 
(much like sudo) and a matching apache module.". But I guess you understood.


Alain Williams schreef:
> On Wed, Jan 17, 2007 at 12:45:37AM +0100, Arnold Daniels wrote:
>   
>> Hi,
>>
>> First of all I admit I'm no PHP security expert or PHP internals expert
>> or anything, so please don't flame me if I say something stupid.
>>
>> Wouldn't simply adding a flag to allow url's (which includes all '*://'
>> streams), in functions that opens streams be enough? For example:
>> fopen($file, 'r') and fopen($url, 'ru') and fopen('php://output', 'ru').
>> To my opinion, using '*://' streams is an advanced feature. Developers
>> who are using that, should be able to make sure no urls are opened.
>> Again, just an idea.
>>     
>
> Brilliant. The only thing that need be added is a config var to control
> the default behaviour - which should be 'don't allow'.
> Doesn't fix everything (eg includes), but it is a good start.
> Note that: allow_url_fopen is not the same thing as that does not allow
> the program to specify when it wants it.
>
>   
>> Last, I'm a software developer at a shared hosting company. To my
>> opinion, making sure that users don't touch other people's files, does
>> not belong in the PHP layer. With other apache modules you can do nasty
>> thing as well. We (not me) have written a kernel patch to allow
>> switching of the current processes (much like sudo) and a matching
>> apache module. Since the privileges only allow the user or group to
>> access the file, linux does the rest. An other solution is to start PHP
>> as cgi under the correct user, but other things will never be really save.
>>     
>
> Care to share that with the world ?
>
>   

--------------030804030304020409000208--