[Dovecot] OT: PHP session data storage

Michael Orlitzky michael at orlitzky.com
Tue Oct 29 02:10:25 EET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/28/2013 04:10 PM, Reindl Harald wrote:
>> 
>> php_admin_value open_basedir /var/www/$domain/$host/ 
>> php_admin_value upload_tmp_dir /var/www/$domain/$host/tmp 
>> php_admin_value session.save_path /var/www/$domain/$host/tmp 
>> php_admin_value sys_temp_dir /var/www/$domain/$host/tmp
> 
> oh no - do *not* place the sesiondata anywhere inside open_basdir 
> this is one of the badest things you can do because any otherwise 
> harmless script bypassed whatever security restriction will be able
> to read *any* session data
> 

You have a point, but I wouldn't go as far as to say it's one of the
worst things you can do. If a vulnerable PHP script allows an attacker
to (at least try to) read arbitrary files, then it's possible to read
session data that lies within open_basedir. Note that they can already
 read your database credentials out of config.php at that point.

But, if you put the session data under open_basedir, then it's easy to
restrict access to the entire /var/www/example.com hierarchy to the
one user that needs it: www.example.com. In the scenario I described,
I'm able to tell our customers that their websites are "physically"
separated from our other customers.

If there's a vulnerability in someone else's site, the kernel (via
filesystem ACLs) will prevent it from affecting yours. The web user
for example.NET truly cannot even traverse /var/www/example.COM, where
everything important to you is stored. This is robust against Apache,
Ruby, Python, etc. vulnerabilities as well -- not just PHP.

I already mentioned that I don't trust PHP. Our sites would be just as
secure if open_basedir stopped working tomorrow, since the filesystem
ACLs are what we trust to work. So, we trade the potential to read
sessions for that peace of mind. Not trying to downplay your
complaint, just pointing out another POV.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iQIcBAEBAgAGBQJSbvzxAAoJEBxJck0inpOi2AUQAJCnroIfBiaB1EIeV+X0wfE4
drfac6wdp16bQxRBQOj2if0qhG363bK3jVTwirEsSeWgmE9FBMDiiQeLe3txL4Nb
7NffcX/ThxM9i7Xwpd13ZMsmOlJiTbRg54AeLaBP7oUVnRd5wyaby60KyFDF9raN
LP8aYtVs2GR8tCG1tEbwfoOZGmAtRx8Ku7HiYHlUBiyHdFFg86svV//ShiHpp9+N
4m+1uDEyLsRZ8o9U7x7p/mAwB6sHLcRlQNIA5lHdI8eGqy3J/H+O61u9zs1a4YPS
XKUY6wkLc9ksuD56N+an+jT51+0KybyJTOh8m4ZjEhZLBdkhzkeLQkAkQ4XG0MLW
7IsEq6SpY7j/0jSI/DoXBu/dsY275J9BpciRisKBmmZQEybZqzrgUWyHrWSKa72R
OjiCnYCrnQj8q71k+U3jUKL+b4xChtrN6+JzIAbCdVjfu7UTaBquz0cN29EnopnB
HqzWLwqP1aXlBzlVBGvyVN8mQWDEbtKIMcH0FvT5UYR+YGKxhaEadVFRcqx2t+p/
zifIN1g4hn66V4nxv1ULi3nM1rze8RUbjj9cJL1xP+iEstJdfdo+Fz5GNnp2dq0t
E3lvghfv5fL9syaq7eanHU4W0sfF9IbtJ4cqbyzAKi5zBwWuk2tueQ1N1GX++CxG
mMFqEPKR6gkUGX/ooEIc
=iaNf
-----END PGP SIGNATURE-----


More information about the dovecot mailing list