[PHP] unlink security problem

[Patrick Cossette]

I'm running PHP 4.1.2 as an Apache module (Apache 1.3.24) under AIX 4.3.3.

My problem has been covered in Bug #13447 but I still have it and the bug
was under Windows 2000 but I'm running AIX. It's a security
problem with "unlink". My site runs as the user "web" but different parts of
my site are modified by different developpers. Since all
files are owned by "web", I set up an open_basedir so each developper is
limited to make file operations on his directory-tree. My
problem is that this setup does not prevent unlinking, which means that one
can delete files that are not under his directory-tree, and
I do not want that. With the following setup, fopen and include are
restricted by openbasedir, which is good. But one can unlink a file
even if it's not under his directory-tree. I have the following in
httpd.conf:


Options Indexes Includes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
   
  AddType application/x-httpd-php .php
  php_flag engine on
  php_admin_value safe_mode 1
  php_admin_value safe_mode_exec_dir "/u/uq/web/www.uqtr.ca/"
  php_admin_value doc_root "/u/uq/web/www.uqtr.ca/"
  php_admin_value open_basedir "/u/uq/web/www.uqtr.ca/"
  php_admin_value user_dir "/u/uq/web/www.uqtr.ca/"
   



The file testerase.php is in /u/uq/web/www.uqtr.ca and contains this:



I need help. Is it possible to bypass file deletion permission and restrict
the directories in which to unlink?

Thanks,

Patrick
[EMAIL PROTECTED]

[PHP] open_basedir problem

[Patrick Cossette]

Hi,

I have the folowing problem under PHP 4.0.6 running as a module with Apache
1.3.22.  I want to give my users access to PHP as an Apache module but I
want to restrict what they can do with open_basedir, safe_mode,... so they
don't have the right to access other's files.  I have a problem with
open_basedir.  A user cannot include or open a file with a RELATIVE PATH.
He must absolutely give an absolute path in order to work.  If he uses a
relative path, he gets the following errors:

-for the OPEN:
Warning  open_basedir restriction in effect. File is in wrong directory in
/u/d/e/delisle/public_html/Crypto/testopen.php on line 2
Warning: fopen("inclure","r") - Not owner in
/u/d/e/delisle/public_html/Crypto/testopen.php on line 2

- for the INCLUDE:
Warning: open_basedir restriction in effect. File is in wrong directory in
/u/d/e/delisle/public_html/Crypto/testinclude.php on line 2
Warning: open_basedir restriction in effect. File is in wrong directory in
/u/d/e/delisle/public_html/Crypto/testinclude.php on line 2
Warning: Failed opening 'inclure' for inclusion
(include_path='.:/p/php4/lib/php') in
/u/d/e/delisle/public_html/Crypto/testinclude.php on line 2


Here is the portion of my access.conf file that relates to that user:

Directory "/u/d/e/foo/public_html/">
   Options Indexes IncludesNOEXEC ExecCGI FollowSymLinks
   AllowOverride None
   Order allow,deny
   Allow from all
   AddHandler cgi-script .cgi .pl .php3 .phtml
   
  AddType application/x-httpd-php .php
  php_flag engine on
  php_admin_value safe_mode_exec_dir "/u/d/e/foo/public_html/"
  php_admin_value safe_mode 1
  php_admin_value doc_root "/u/d/e/foo/public_html/"
  php_admin_value open_basedir "/u/d/e/foo/public_html/"
  php_admin_value user_dir "/u/d/e/foo/public_html/"
   


Knowing that the include path is by default ".", I even tried putting
php_admin value include_path "/u/d/e/foo/public_html/".
It works if both the calling file and the included file are directly in
"/u/d/e/foo/public_html/" but not if the included file is in a subdirectory
of "/u/d/e/foo/public_html/".  I would like the include and open to work
from anywhere in the "/u/d/e/foo/public_html/" tree to anywhere in the
"/u/d/e/foo/public_html/"  tree.  It seems to me like a normal behaviour to
expect.  Is there a way also to configure such a thing at a higher level, so
that every user's public_html is configured like that?

Thanks

Patrick Cossette
[EMAIL PROTECTED]



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php