Hi,
Moritz Muehlenhoff wrote:
------------------------------------------------------------------------
Debian Security Advisory DSA-1550-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 17, 2008 http://www.debian.org/security/faq
------------------------------------------------------------------------
Package : suphp
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-1614
Debian Bug : 475431
It was discovered that suphp, an Apache module to run PHP scripts with
owner permissions handles symlinks insecurely, which may lead to
privilege escalation by local users.
I upgraded the package as suggested, but it broke my setup.
For what it's worth, I have a virtualhost whose documentroot is
/var/www/foo.
That directory is owned by user foo.
Under this one, I have a directory /var/www/foo/bar, that contains a
script index.php, both being owned by user bar.
(This web site is composed of several branches, managed by different
people.)
With the new suphp, apache refuses to serve /var/www/foo/bar/index.php
because /var/www/foo is not owned by the script's owner.
Looking at the diff between 0.6.2-1 and 0.6.2-1+etch0, it looks like the
new suPHP::Application::checkParentDirectories function is responsible
for this new behaviour.
Since, my setup involves no symlink at all, I think this check exceeds
what is required to fix the security flaw.
Would it be possible to fix this behaviour?
Cheers,
Nicolas Boullis