[TYPO3-core] REMINDER RFC #8130: Bug: addService() working with open_basedir and symlink
Xavier Perseguers
typo3 at perseguers.ch
Thu Oct 30 16:34:00 CET 2008
Hi,
I agreed to *reject* this bug (with proper comment) as we'll not agree
on a solution for this weird situation.
May someone do this please?
Thanks
Xavier Perseguers wrote:
> Hi!
>
>> Xavier Perseguers wrote:
>>> I'm forced to use a copy because my /var/www is in fact a mounted
>>> partition and hard links to not work across devices. But this is more
>>> work when an update comes.
>>>
>>> Now another problem is that my hardening configuration (yes I'm a bit
>>> paranoïd but that is why I'm able to give such hints :D) does not
>>> allow me to execute programs on the /var/www subdirectory (mount
>>> option "noexec" in /etc/fstab. This prevents scripts to be uploaded
>>> for instance to /tmp (or typo3temp in case of TYPO3) and be executed
>>> whenever someone would find a way to do this.
>>> Please note that I do not fear uncommon or nearly impossible attacks
>>> because I had the problem a few years ago on a server that was
>>> absolutely not "on the forecast". This is a real issue.
>>
>> You are not paranoid, you are a very responsible person, which is a
>> good thing in my eyes :)
>>
>> But adding every application to the open_basedir looks wrong to me :(
>> I do not really want convert or unzip be there :(
>
> This is why I created a "TYPO3 external application" directory with
> symlinks to real apps. I do not see a viable solution with this problem
> but updating my patch and apply it automatically to each new version of
> TYPO3 I install, just as I do for the time being.
>
> Thus if we do not find a solution (and I fear we won't) without actually
> hacking the "should-work" code, then I would suggest to drop a note on
> the bugtracker explaining that hard links or copy of the real
> application should be used whenever it's possible or otherwise that my
> setup is too specific and that we all hope that the open_basedir problem
> will be tackled with an upcoming release of PHP.
>
> And then simply reject the bug.
>
--
Xavier Perseguers
http://xavier.perseguers.ch/en/tutorials/typo3.html
More information about the TYPO3-team-core
mailing list