You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/01/26 00:02:30 UTC
DO NOT REPLY [Bug 38393] New: - root access in extension for PHP, during PHP_MINIT_FUNCTION and PHP_MSHUTDOWN_FUNCTION
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38393>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38393
Summary: root access in extension for PHP, during
PHP_MINIT_FUNCTION and PHP_MSHUTDOWN_FUNCTION
Product: Apache httpd-2
Version: 2.0-HEAD
Platform: All
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P2
Component: perchild
AssignedTo: bugs@httpd.apache.org
ReportedBy: sopak@matrixway.cz
CC: sopak@matrixway.cz
I wrote PHP extension for mod_php and find security problem(from my opinion).
During PHP_MINIT_FUNCTION and PHP_MSHUTDOWN_FUNCTION which is
something like constructor and descructor for PHP extension I have root access
and can do everithing like root.
Problem is, I expect here to be apache user already, this looks more like design
problem and can cause more problem when someone break PHP extension and I think
even some apache module.
I understand this should be useful for something like suexec, but this
should be forbidden by default. Why main apache process(which can only bind
port 80,443 etc..) even run childs with root access, should not be this
configurable?
Please tell me if I am wrong, thx.
BTW2: sorry for my bad english ;]
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38393] - root access in extension for PHP, during PHP_MINIT_FUNCTION and PHP_MSHUTDOWN_FUNCTION
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38393>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38393
nick@webthing.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From nick@webthing.com 2006-01-26 00:36 -------
This is Apache bugzilla, not PHP.
If you're saying that PHP enables unprivileged users to gain root privileges
during server startup, that is indeed a major security issue and should be
reported to PHP.
(it's not clear to me whether that really is what you're saying)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38393] - root access in extension for PHP, during PHP_MINIT_FUNCTION and PHP_MSHUTDOWN_FUNCTION
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38393>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38393
nick@webthing.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |INVALID
------- Additional Comments From nick@webthing.com 2006-01-26 03:48 -------
Yes of course. Many modules need root privileges at startup: for example, the
module that opens the logfiles, and the module that binds to port 80. It's
the same security issue as with any software you run as root, including Apache
itself: don't run it unless you trust it.
It would be a security hole if modules could be added by unprivileged users,
as for example CGI and PHP scripts can.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38393] - root access in extension for PHP, during PHP_MINIT_FUNCTION and PHP_MSHUTDOWN_FUNCTION
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38393>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38393
sopak@matrixway.cz changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
------- Additional Comments From sopak@matrixway.cz 2006-01-26 01:01 -------
Hi
I thing this is apache design problem during startup , i think all apache
modules loaded during start have root access and after startup apache
switch to given user from configuration, therefore this is more apache problem
then PHP.
I think steps are somethink like, I simplified it:
root 1]main apache start and start prefork processes (keep starting to compete
needs and settings)
root 2]apache start modules
root 3]modules initialize
root 4]modules initialize their modules extensione whatever
root 5]apache switch to unprivileged user
apache 6]apache accept and passig requests from main apache proccess(which
binds 80,443,...) to modules and other way
apache 7] apache process reach maximum request or get signal to shutdown
root 8] apache somehow switch to privileged user again (probably main process??)
root 9] apache call shutdown to all modules
root 10] modules close their work files resources etc, and PHP call same to
all extensions
root 11] process die..
Maybe this is not exactly what apache doing, but I want reopen this issue.
Reason is "let it be configurable when apache switch to unprivileged user, I
decide prefork processes cant have root acces ever(maybe as configurable
parameter for suexec environment and similar)"
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38393] - root access in extension for PHP, during PHP_MINIT_FUNCTION and PHP_MSHUTDOWN_FUNCTION
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38393>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38393
sopak@matrixway.cz changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|perchild |prefork
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org