[TYPO3-core] REMINDER RFC #8130: Bug: addService() working with open_basedir and symlink

[Xavier Perseguers]

Hi!

> Xavier Perseguers wrote:
>> I'm forced to use a copy because my /var/www is in fact a mounted 
>> partition and hard links to not work across devices. But this is more 
>> work when an update comes.
>>
>> Now another problem is that my hardening configuration (yes I'm a bit 
>> paranoïd but that is why I'm able to give such hints :D) does not 
>> allow me to execute programs on the /var/www subdirectory (mount 
>> option "noexec" in /etc/fstab. This prevents scripts to be uploaded 
>> for instance to /tmp (or typo3temp in case of TYPO3) and be executed 
>> whenever someone would find a way to do this.
>> Please note that I do not fear uncommon or nearly impossible attacks 
>> because I had the problem a few years ago on a server that was 
>> absolutely not "on the forecast". This is a real issue.
> 
> You are not paranoid, you are a very responsible person, which is a good 
> thing in my eyes :)
> 
> But adding every application to the open_basedir looks wrong to me :( I 
> do not really want convert or unzip be there :(

This is why I created a "TYPO3 external application" directory with 
symlinks to real apps. I do not see a viable solution with this problem 
but updating my patch and apply it automatically to each new version of 
TYPO3 I install, just as I do for the time being.

Thus if we do not find a solution (and I fear we won't) without actually 
hacking the "should-work" code, then I would suggest to drop a note on 
the bugtracker explaining that hard links or copy of the real 
application should be used whenever it's possible or otherwise that my 
setup is too specific and that we all hope that the open_basedir problem 
will be tackled with an upcoming release of PHP.

And then simply reject the bug.

-- 
Xavier Perseguers
http://xavier.perseguers.ch/en/tutorials/typo3.html