Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:54643 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7994 invoked from network); 17 Aug 2011 12:13:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Aug 2011 12:13:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: h.reindl@thelounge.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Windows 98 (1) Received: from [91.118.73.15] ([91.118.73.15:33462] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 23/70-03278-250BB4E4 for ; Wed, 17 Aug 2011 08:13:06 -0400 Received: from rh.thelounge.net (rh.thelounge.net [10.0.0.99]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.thelounge.net (Postfix) with ESMTPSA id D0DB1C9 for ; Wed, 17 Aug 2011 14:13:01 +0200 (CEST) Message-ID: <4E4BB04C.3020200@thelounge.net> Date: Wed, 17 Aug 2011 14:13:00 +0200 Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110707 Thunderbird/5.0 MIME-Version: 1.0 To: internals@lists.php.net References: <4E4AE153.20704@thelounge.net> In-Reply-To: X-Enigmail-Version: 1.2 OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig8E81538E871FE8C10CF05357" Subject: Re: [PHP-DEV] https://bugs.php.net/bug.php?id=52312 From: h.reindl@thelounge.net (Reindl Harald) --------------enig8E81538E871FE8C10CF05357 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 17.08.2011 13:14, schrieb Pierre Joye: > On Tue, Aug 16, 2011 at 11:29 PM, Reindl Harald wrote: >> Hi >> >> https://bugs.php.net/bug.php?id=3D52312 >> >> does the security-problem in combination with open_basedir only >> occur if there are symlinks created? >> >> * i guess in most secure setups "symlink" is disabled >=20 > For what I can see, almost no setup disables the symlink functions in > php, even less in the shell. defaults on all servers i maintain since 10 years "popen" is disabled per vhost with "php_admin_value suhosin.executor.func= =2Eblacklist" since "disable_functions" is to dumb working on -directive disable_functions =3D "exec, passthru, shell_exec, system, proc_open, pro= c_close, proc_nice, proc_terminate, proc_get_status, pcntl_exec, apache_child_terminate, posix_kill, posix_mk= fifo, posix_setpgid, posix_setsid, posix_setuid, mail, symlink" >> * give us a option to bypass the check in such environments >=20 > Well, there are other better ways to control access than relying on > open_basedir. Permissions are on, that's why I would not add special > cases here if you are hosting some hundret domains there are not really better ways since you will not add hundrets of system-users while you have to deal with FTP/SFTP and exactly these setups for some hundret domains would benefit most of the realpath-cache --------------enig8E81538E871FE8C10CF05357 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5LsE0ACgkQhmBjz394AnncgwCdEI2WiWy2P8tdCmYag26/ZrgR nDYAnjYPO3eaeai3iBVLofwFwAwmR/Nv =Y5Nq -----END PGP SIGNATURE----- --------------enig8E81538E871FE8C10CF05357--