[TYPO3-core] REMINDER RFC #8130: Bug: addService() working with open_basedir and symlink
Xavier Perseguers
typo3 at perseguers.ch
Fri Oct 17 11:16:18 CEST 2008
Hi!
> Xavier Perseguers wrote:
>> I don't think so, the problem still remains as is_executable does not
>> stick to the given directory:
>>
>> $ ls -l /var/www/typo3-exec
>> lrwxrwxrwx 1 root root 16 2007-09-04 08:47 convert -> /usr/bin/convert
>>
>> With open_basedir listing /var/www/typo3-exec, the different exec
>> functions of PHP let you use /var/www/typo3-exec/convert happily but
>> if you try to check whether you may run the command, namely using
>> is_executable, then the symbolic link is first resolved to
>> /usr/bin/convert, then a warning is thrown that open_basedir
>> restrictions are activated and that /usr/bin is not within the allowed
>> path(s) and finally is_executable returns FALSE!
>
> That's right. But in this case do not use a symlink, use hard link or a
> copy.
I'm forced to use a copy because my /var/www is in fact a mounted
partition and hard links to not work across devices. But this is more
work when an update comes.
Now another problem is that my hardening configuration (yes I'm a bit
paranoïd but that is why I'm able to give such hints :D) does not allow
me to execute programs on the /var/www subdirectory (mount option
"noexec" in /etc/fstab. This prevents scripts to be uploaded for
instance to /tmp (or typo3temp in case of TYPO3) and be executed
whenever someone would find a way to do this.
Please note that I do not fear uncommon or nearly impossible attacks
because I had the problem a few years ago on a server that was
absolutely not "on the forecast". This is a real issue.
--
Xavier Perseguers
http://xavier.perseguers.ch/en/tutorials/typo3.html
More information about the TYPO3-team-core
mailing list