Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96893
Return-Path: <dmitry@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38326 invoked from network); 15 Nov 2016 15:20:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Nov 2016 15:20:03 -0000
Authentication-Results: pb1.pair.com header.from=dmitry@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=dmitry@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 104.47.41.109 as permitted sender)
X-PHP-List-Original-Sender: dmitry@zend.com
X-Host-Fingerprint: 104.47.41.109 mail-dm3nam03on0109.outbound.protection.outlook.com  
Received: from [104.47.41.109] ([104.47.41.109:53696] helo=NAM03-DM3-obe.outbound.protection.outlook.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D0/F2-05303-F972B285 for <internals@lists.php.net>; Tue, 15 Nov 2016 10:20:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=RWSoftware.onmicrosoft.com; s=selector1-zend-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=YcizUpFUP4biUhWZhlo7E3qSqB+BiSiGNWwUsJlptxw=;
 b=eK/HmV31DyPFQUcrYr7yJMfHs8kDq+Fccr4P/gf2+IKaiLjkneLrlkW5bmOW/leQ18gd/WkoAb1SY5jlzOkuC1HGTbaV4jNzVL22VTORhEVlbwlh+s/XWqpNiB8vp6z2RhROVwNbQotbITQLZa3M7U9TXnha+9+PD1YWojvwBIg=
Received: from MWHPR02MB2477.namprd02.prod.outlook.com (10.168.204.147) by
 BL2PR02MB290.namprd02.prod.outlook.com (10.141.90.145) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.734.8; Tue, 15 Nov 2016 15:19:53 +0000
Received: from MWHPR02MB2477.namprd02.prod.outlook.com ([10.168.204.147]) by
 MWHPR02MB2477.namprd02.prod.outlook.com ([10.168.204.147]) with mapi id
 15.01.0734.007; Tue, 15 Nov 2016 15:19:52 +0000
To: "php-dev@coydogsoftware.net" <php-dev@coydogsoftware.net>
CC: "rasmus@lerdorf.com" <rasmus@lerdorf.com>, "internals@lists.php.net"
	<internals@lists.php.net>, "Anatol Belski (ab@php.net)" <ab@php.net>, "Zeev
 Suraski" <zeev@zend.com>, Nikita Popov <nikic@php.net>, Julien Pauli
	<julienpauli@gmail.com>, Joe Watkins <pthreads@pthreads.org>
Thread-Topic: [PATCH] opcache bug #69090, prepend user identifier to keys
Thread-Index: AQHSO+UMD4h3upkAiEqzeDgxtnu8QqDTwDSAgAYxXDGAAD3CeA==
Date: Tue, 15 Nov 2016 15:19:52 +0000
Message-ID: <MWHPR02MB24771234C49860010F06CC72BFBF0@MWHPR02MB2477.namprd02.prod.outlook.com>
References: <MWHPR02MB247797DCC52957382A6E120BBFBB0@MWHPR02MB2477.namprd02.prod.outlook.com>,<20161111130329.GA22968@sliver.coydogsoftware.net>,<MWHPR02MB2477215967D9F5D543749791BFBF0@MWHPR02MB2477.namprd02.prod.outlook.com>
In-Reply-To: <MWHPR02MB2477215967D9F5D543749791BFBF0@MWHPR02MB2477.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dmitry@zend.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [25.164.163.132]
x-microsoft-exchange-diagnostics: 1;BL2PR02MB290;7:Pw6FlB+wX2NwxkrJp2Y0XWqzjVEsQi8/1fOHnXxiqlIUspQmcM3y2hADaQ1rfDm0/RjZlMctMPolemPvhpT8xhAVwbHeAoRYl7t2FD4aKJlMeKLq+7uZuH40vD/l8LZ2M+VGuL80mX60zwHcXzCzKfeVUXRQ/1AoKDI1VS7llK1NvRpJiJNCK9Latg4X8zsWT5C87q6JiqGoEmHCKv32tcSEBHCUXuHYf4lTAmkGJcIOjS0uZ+x9x2OiNRbmQQoKVG1JYD8pc0dsD09t3nQhNCqQes0J5jg2oszi1oJpJ0vcVXMu0Pa3hM5rKtqIpOsg77+WBLeJxiBi4nN0HyYkcD+uqOvWnY67SRha+5GCbvg=
x-forefront-antispam-report: SFV:SKI;SCL:-1SFV:NSPM;SFS:(10019020)(7916002)(189002)(377454003)(199003)(46034005)(24454002)(33656002)(5890100001)(7736002)(7846002)(86362001)(5660300001)(15395725005)(9686002)(101416001)(110136003)(81156014)(7696004)(15188155005)(76176999)(54356999)(50986999)(16799955002)(7906003)(2351001)(92566002)(3846002)(97736004)(8936002)(6116002)(102836003)(106356001)(106116001)(81166006)(105586002)(74316002)(6916009)(2950100002)(99286002)(5640700001)(77096005)(2900100001)(3660700001)(3280700002)(122556002)(229853002)(345774005)(8676002)(68736007)(87936001)(76576001)(4326007)(66066001)(2501003)(189998001)(2906002);DIR:OUT;SFP:1102;SCL:1;SRVR:BL2PR02MB290;H:MWHPR02MB2477.namprd02.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
x-ms-office365-filtering-correlation-id: 5d9fc99a-7f37-4d6b-52c8-08d40d6ad909
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BL2PR02MB290;
x-microsoft-antispam-prvs: <BL2PR02MB290220C6D24FDDE59090C9BBFBF0@BL2PR02MB290.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6060326)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6061324);SRVR:BL2PR02MB290;BCL:0;PCL:0;RULEID:;SRVR:BL2PR02MB290;
x-forefront-prvs: 012792EC17
received-spf: None (protection.outlook.com: zend.com does not designate
 permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative;
	boundary="_000_MWHPR02MB24771234C49860010F06CC72BFBF0MWHPR02MB2477namp_"
MIME-Version: 1.0
X-OriginatorOrg: zend.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2016 15:19:52.2531
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 32210298-c08b-4829-8097-6b12c025a892
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR02MB290
Subject: Re: [PATCH] opcache bug #69090, prepend user identifier to keys
From: dmitry@zend.com (Dmitry Stogov)

--_000_MWHPR02MB24771234C49860010F06CC72BFBF0MWHPR02MB2477namp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

New patch, attached to bug report, should fix both problems.

I'm going to commit it tomorrow, if no objections.


Thanks. Dmitry.

________________________________
From: Dmitry Stogov <dmitry@zend.com>
Sent: Tuesday, November 15, 2016 2:41:47 PM
To: php-dev@coydogsoftware.net
Cc: rasmus@lerdorf.com; internals@lists.php.net; Anatol Belski (ab@php.net)=
; Zeev Suraski; Nikita Popov; Julien Pauli; Joe Watkins
Subject: [PHP-DEV] Re: [PATCH] opcache bug #69090, prepend user identifier =
to keys

hi,


I've solved one of the problems described at https://bugs.php.net/bug.php?i=
d=3D69090

The patch and explanation are attached to bug report.

Please, review.


Julien, Anatol, Joe, are you OK to commit this into 5.6 and above?


I'm going to think about the second problem.


Thanks. Dmitry.

________________________________
From: php-dev@coydogsoftware.net <php-dev@coydogsoftware.net>
Sent: Friday, November 11, 2016 4:03:29 PM
To: Dmitry Stogov
Cc: rasmus@lerdorf.com; internals@lists.php.net; Anatol Belski (ab@php.net)=
; Zeev Suraski
Subject: Re: [PATCH] opcache bug #69090, prepend user identifier to keys

Dmitry,

Thank you for taking the time to answer my questions. Time allowing,
I'll be taking a closer look at the code this weekend. I do have a
couple of quick comments, see below:

On Fri, Nov 11, 2016 at 07:31:03AM +0000, Dmitry Stogov wrote:
> On Nov 10, 2016 5:10 PM, php-dev@coydogsoftware.net wrote:
> >
> > Can you confirm that you see the permissions bypass problem? I've seen
> > the chroot filename collision problem acknowledged in the bugtracker an=
d
> > in old php-internals posts, but I've seen nobody from the PHP Project
> > explicitly acknowledge the permissions bypass vulnerability. If my
> > meaning isn't clear I can provide proof of concept off-list. The
> > permissions bypass affects both apache2handler (even with mod_ruid2) an=
d
> > FPM (even with user pools).
>
> I didn't see the problem in real life, but it's clear, that serving of
> few chroot environments using the same cache may lead to duplicate
> keys. FPM with separate pools shouldn't be affected.

FPM with separate user pools under a single master is affected by the
permissions bypass issue. To avoid the issue, separate user pools isn't
sufficient; you would need separate FPM master daemons.

Many users read about the ability to run separate pools with separate
users under a single master and think this provides adequate user
separation:
http://php.net/manual/en/install.fpm.configuration.php

But when OPCache is enabled, the user pools under a single master all
share a common cache, with disastrous results if a single user is
compromised.

Unfortunately this is the way the popular shared hosting control panels
have started implementing FPM: with a single master.

Was "single master, multiple pools with separate users" not intended for
a shared hosting environment? If not, what is the point of the 'user'
and 'chroot' directives? Were shared hosts using FPM always expected to
use separate FPM master daemons? If so, the documentation might be more
explicit IMHO (I'd be willing to put in some work here if you feel a
documentation fix is what's needed).

> > But again I should stress that *chroot filename collisions are not the
> > only bad behavior here.* They're not the bug I'm most concerned with.
>
> Do you talk about executing "unreadable" PHP scripts of different
> users?  I think, the proper way to fix this, whould executing access()
> check on each cached script access (this might be enabled/disabled
> through php.ini)

Yes! This is exactly my concern. And you're absolutely right, a check of
access() at script compile time is a better solution than my patch. I
think it should be the default behavior though.

I'm starting to think I should have opened a separate bug for the
permissions bypass issue and the chroot filename collision; in the
bug tracker users were already lumping these issues together but they're
really separate concerns.

Off-list I'm going to send you a proof of concept script which
demonstrates the problem with a typical FPM/OPCache deployment in a
shared environment.

-php-dev at coydogsoftware dot net

--_000_MWHPR02MB24771234C49860010F06CC72BFBF0MWHPR02MB2477namp_--