Thanks to a (fortunately) loyal client, we were recently alerted to a rather large exploitable hole within the .pkg available from the Cobalt website for PHP. Posted it to the Cobalt list...it didn't seem to bother too many people. If anyone is interested, drop me a line.

Gary

Hi

I have seen you post on the cobalt lists, this is not just an issue with cobalts, its php, when you install php server wide it sets itself to nobody(as i understand it)nobdy has more server rights than the user, the way we have got around this is to install the binary on each account (when needed), ok its a bit more disk space, but at least you can set it to the accounts ID, make sure the rights are set correctly, basically so php has the same access as the user, not the module.

Hey i might be way off track, sorry if i am

No...nobody has no server rights by default.

The problem with the Cobalt is that in order to become setuid to the user it has to be begun as root.

Cheers

G

Has anyone solved this hole? Is there a config file change we can make? Force php to run in safe_mode or something? Is there a newer version of php available as a pkg?

Thanks!

Could you please explain the whole problem? Is it the old one that one site could read files from other sites with open/file command? Cause that can be fixed with open_basedir per virtual host entry

Or is it something new?

Where are you saying to put that open_basedir??
in the httpd.conf un each virtualhost?

<VirtualHost <IP> >
ServerName www.domain.co.nz
ServerAdmin admin
DocumentRoot /home/sites/site118/web
ServerAlias domain.co.nz
open_basedir domain.co.nz

Like that??

Sorry for been really new, never really used *nix much before

VirtualHost <IP> >
ServerName www.domain.co.nz
ServerAdmin admin
DocumentRoot /home/sites/site118/web
ServerAlias domain.co.nz
php_admin_value open_basedir /home/sites/siteXX



Where XX is the site number. I have even added it to the Cobalt perl script so it is added automatically when I create a new site.

php_admin_value open_basedir /home/sites/siteXX
What will this do?

Also, how do I add that to the cobalt script? Could you plz plz tell me? :D

File operations will be limited to files under the specified directory. If the user calls readfile() or file() they will get an error message if the file is not located under their open_basedir.

Yes, I would have told you before but it was some months ago I did it - and since I am turning 30 this year, I just can't remember which file it was :) . And now it's time for bed, but I will try to find it tomorrow and post ot here.

This is actually a really cool thing, modifying it per VirtualHost I mean, with this scheme my clients are having open_basedir restrictions while I don't have it :)

To fix it we applied the following countermeasures;

1) We chowned /bin/su to root.admin

2) Modified php.ini (located in /etc/httpd/php.ini) so that Safe Mode was enabled by default (by default it is off)

Cheers

Gary

Originally posted by Editor
To fix it we applied the following countermeasures;...


Fixed what? Could you please tell us what the problem is?

Hey,

Basically, by running a system command within PHP to su - the user can gain root privileges to the box. Using this method one could rm -fr / etc.

As Editor has pointed out by running in Safe Mode and chowning admin.root (with r-xr-x--- privs) this means only the admin user can su to root.

Of course, it would be even better if su was removed completely but this is dangerous in the event of a system crash and no local access.

Stuart

Originally posted by Editor
To fix it we applied the following countermeasures;

1) We chowned /bin/su to root.admin



What is the command ? Plz :)

*login into machine*

*su - to root*

chown root.admin /bin/su
chmod 750 /bin/su
chmod u+s /bin/su

Remember, to set your PHP to Safe Mode.

Stuart

:) tnx i allready set my PHP to safe mode do i still have to perform this other stuff?