Re: [SECURITY] [DSA 1550-1] New suphp packages fix local privilege escalation
Hi,
Moritz Muehlenhoff wrote:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1550-1 security@debian.org
> http://www.debian.org/security/ Moritz Muehlenhoff
> April 17, 2008 http://www.debian.org/security/faq
> ------------------------------------------------------------------------
>
> Package : suphp
> Vulnerability : programming error
> Problem type : local
> Debian-specific: no
> CVE Id(s) : CVE-2008-1614
> Debian Bug : 475431
>
> It was discovered that suphp, an Apache module to run PHP scripts with
> owner permissions handles symlinks insecurely, which may lead to
> privilege escalation by local users.
I upgraded the package as suggested, but it broke my setup.
For what it's worth, I have a virtualhost whose documentroot is
/var/www/foo.
That directory is owned by user foo.
Under this one, I have a directory /var/www/foo/bar, that contains a
script index.php, both being owned by user bar.
(This web site is composed of several branches, managed by different
people.)
With the new suphp, apache refuses to serve /var/www/foo/bar/index.php
because /var/www/foo is not owned by the script's owner.
Looking at the diff between 0.6.2-1 and 0.6.2-1+etch0, it looks like the
new suPHP::Application::checkParentDirectories function is responsible
for this new behaviour.
Since, my setup involves no symlink at all, I think this check exceeds
what is required to fix the security flaw.
Would it be possible to fix this behaviour?
Cheers,
Nicolas Boullis
Reply to: