-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/28/2013 04:10 PM, Reindl Harald wrote:
php_admin_value open_basedir /var/www/$domain/$host/ php_admin_value upload_tmp_dir /var/www/$domain/$host/tmp php_admin_value session.save_path /var/www/$domain/$host/tmp php_admin_value sys_temp_dir /var/www/$domain/$host/tmp
oh no - do *not* place the sesiondata anywhere inside open_basdir this is one of the badest things you can do because any otherwise harmless script bypassed whatever security restriction will be able to read *any* session data
You have a point, but I wouldn't go as far as to say it's one of the worst things you can do. If a vulnerable PHP script allows an attacker to (at least try to) read arbitrary files, then it's possible to read session data that lies within open_basedir. Note that they can already read your database credentials out of config.php at that point.
But, if you put the session data under open_basedir, then it's easy to restrict access to the entire /var/www/example.com hierarchy to the one user that needs it: www.example.com. In the scenario I described, I'm able to tell our customers that their websites are "physically" separated from our other customers.
If there's a vulnerability in someone else's site, the kernel (via filesystem ACLs) will prevent it from affecting yours. The web user for example.NET truly cannot even traverse /var/www/example.COM, where everything important to you is stored. This is robust against Apache, Ruby, Python, etc. vulnerabilities as well -- not just PHP.
I already mentioned that I don't trust PHP. Our sites would be just as secure if open_basedir stopped working tomorrow, since the filesystem ACLs are what we trust to work. So, we trade the potential to read sessions for that peace of mind. Not trying to downplay your complaint, just pointing out another POV.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux)
iQIcBAEBAgAGBQJSbvzxAAoJEBxJck0inpOi2AUQAJCnroIfBiaB1EIeV+X0wfE4 drfac6wdp16bQxRBQOj2if0qhG363bK3jVTwirEsSeWgmE9FBMDiiQeLe3txL4Nb 7NffcX/ThxM9i7Xwpd13ZMsmOlJiTbRg54AeLaBP7oUVnRd5wyaby60KyFDF9raN LP8aYtVs2GR8tCG1tEbwfoOZGmAtRx8Ku7HiYHlUBiyHdFFg86svV//ShiHpp9+N 4m+1uDEyLsRZ8o9U7x7p/mAwB6sHLcRlQNIA5lHdI8eGqy3J/H+O61u9zs1a4YPS XKUY6wkLc9ksuD56N+an+jT51+0KybyJTOh8m4ZjEhZLBdkhzkeLQkAkQ4XG0MLW 7IsEq6SpY7j/0jSI/DoXBu/dsY275J9BpciRisKBmmZQEybZqzrgUWyHrWSKa72R OjiCnYCrnQj8q71k+U3jUKL+b4xChtrN6+JzIAbCdVjfu7UTaBquz0cN29EnopnB HqzWLwqP1aXlBzlVBGvyVN8mQWDEbtKIMcH0FvT5UYR+YGKxhaEadVFRcqx2t+p/ zifIN1g4hn66V4nxv1ULi3nM1rze8RUbjj9cJL1xP+iEstJdfdo+Fz5GNnp2dq0t E3lvghfv5fL9syaq7eanHU4W0sfF9IbtJ4cqbyzAKi5zBwWuk2tueQ1N1GX++CxG mMFqEPKR6gkUGX/ooEIc =iaNf -----END PGP SIGNATURE-----