Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:40114 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 88637 invoked from network); 27 Aug 2008 22:02:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Aug 2008 22:02:29 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.169 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 66.249.92.169 ug-out-1314.google.com Received: from [66.249.92.169] ([66.249.92.169:16541] helo=ug-out-1314.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5B/7E-03720-4FEC5B84 for ; Wed, 27 Aug 2008 18:02:28 -0400 Received: by ug-out-1314.google.com with SMTP id c2so1024284ugf.37 for ; Wed, 27 Aug 2008 15:02:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=luneYhrYVNnV7YnQzzRNb5IPNKhGh8NUyJwbB49KlCU=; b=qr+r2p8XbTWq/g/v5MMpnOQqB1FM4F3PY06xjwoDVwa+EEQoaj+7pNKajMp8hsbzSu FCs1LT+v15B5LkeQv8cFW7fHHNlYVr7ZBY3xzVFS9DhPIFOlfbYHG5MahmaCGhfQWxLk RIP0c/NunnUSM1R6VJO5mMz/1LC2+nsVgJo+s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=nFNlK7P70nLAkmHlY+vI3yyIQuiU3BFaerJU8A/t98NNKOuG+oplslAuO7amGMCBf7 LAfT6v4521bO2pfhFiNrO7qkOxKcivnLdwtol1xY1hK1JoAdUH+GSIiXS0VtjaZH3WvH p5UlxpaTWxANXD6rsUgDLeeXpd9Pv2IYaGU6s= Received: by 10.66.233.10 with SMTP id f10mr2407664ugh.8.1219874545727; Wed, 27 Aug 2008 15:02:25 -0700 (PDT) Received: by 10.67.96.10 with HTTP; Wed, 27 Aug 2008 15:02:25 -0700 (PDT) Message-ID: Date: Thu, 28 Aug 2008 00:02:25 +0200 To: "Stanislav Malyshev" Cc: "Alexey Zakhlestin" , "PHP Internals" In-Reply-To: <48B5CE4A.7000807@zend.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48B5CE4A.7000807@zend.com> Subject: Re: [PHP-DEV] open_basedir + sessions bug (or a feature?) From: pierre.php@gmail.com ("Pierre Joye") On Wed, Aug 27, 2008 at 11:59 PM, Stanislav Malyshev wrote: > Hi! > >> ext/sessions/mod_files.c:281 has a hardcoded openbasedir-check >> skipping of "/tmp" path for storing session-files, if >> sessions.save_path is not manually set. > > I would think the idea was to make it easier on inexperienced users. Since > default AFAIK is /tmp, and it is highly unlikely that somebody would need to > hide /tmp from the users, it makes more scenarios to work out of the box. > >> Anyway, this looks like something done wrong from the beginning. >> Shouldn't "/tmp" be explicitly added to open_basedir list? Why should >> it have any special meaning? >> I propose to remove special treatment of "/tmp" (should be mentioned >> in upgrade-docs) > > Is there any problem that this treatment is causing? I.e. on Mac the default > is different, but that's not a problem of this treatment - it's rather > missing special treatment of /var/tmp on mac, I'd say :) So Mac users don't > get this boon, but is it the reason to remove it form other users? Yes, it is in my opinion a flaw. It is the admin role to define a correct open_basedir set. Temporary directory should not be system wide in a shared hosting environment, especially not when the session are stored there by default. I don't think we should fix documentation problems by adding such tricks in a security related feature :) Cheers, -- Pierre http://blog.thepimp.net | http://www.libgd.org