linux security - May 1999 - php3 module and security

At 11:11 08/05/99 -0700, you wrote:
>Files in any web directory with the extention .php3 will be interpreted,
and no
>others will be unless specified to do so.  How is this a security breach?
	If a user in a ISP create a file .php3 with read/write functions, 
he'll have permissions to read/overwrite some private files.
I need a way to specify which directory will be viewed by the parser.

	In the php3.ini file there are some directives, but only for binary mode 
of using php3, not as module in apache.


	Thanks,
	lacj

---
<levy@null.net>
Levy Carneiro Jr.
Linux & Network Admin

Hi,

	When php3 module is compiled in apache, files in any directory will
be interpreted by the parser and executed. This is a security breach.
There is a way to correct this? Any comments?


	Thanks,
	lacj

---
<levy@null.net>
Levy Carneiro Jr.
Linux & Network Admin


From mail@mail.redhat.com Sat May 8 02:32:02 1999
Received: (qmail 28372 invoked from network); 8 May 1999 07:05:57 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 8 May 1999 07:05:57 -0000
Received: from rosie.bitwizard.nl (root@3dyn123.delft.casema.net
[195.96.104.123])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id CAA21355
	for <linux-security@redhat.com>; Sat, 8 May 1999 02:32:02 -0400
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
	by rosie.bitwizard.nl (8.8.8/8.8.8) with ESMTP id IAA07625
	for <linux-security@redhat.com>; Sat, 8 May 1999 08:31:58 +0200
Received: (from wolff@localhost)
	by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00369
	for linux-security@redhat.com; Sat, 8 May 1999 08:31:54 +0200
Received: from pop.vuurwerk.nl
	by localhost with POP3 (fetchmail-4.7.5)
Approved: R.E.Wolff@BitWizard.nl
	for wolff@localhost (single-drop); Fri, 07 May 1999 19:14:04 +0200 (MEST)
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
	(with Cubic Circle's cucipop (v1.31 1998/05/13) Fri May  7 19:14:03 1999)
X-From_: linux-security-request@redhat.com  Fri May  7 19:12:43 1999
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
	by haarlem-2.vuurwerk.nl (8.9.3/8.9.1) with ESMTP id TAA11222
	for <bitwiz@haarlem-2.vuurwerk.nl>; Fri, 7 May 1999 19:12:42 +0200
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
	by leeuwarden.vuurwerk.nl (8.9.2/8.9.1) with SMTP id TAA23489
	for <r.e.wolff@BitWizard.nl>; Fri, 7 May 1999 19:12:41 +0200 (CEST)
Received: (qmail 32496 invoked by uid 501); 7 May 1999 17:39:51 -0000
Received: (qmail 32465 invoked from network); 7 May 1999 17:39:50 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 7 May 1999 17:39:50 -0000
Received: from redhat1.mmaero.com (jlewis@redhat1.mmaero.com [208.152.224.2])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id NAA09811;
	Fri, 7 May 1999 13:06:19 -0400
From: jlewis@lewis.org
Received: from localhost (jlewis@localhost)
	by redhat1.mmaero.com (8.8.7/8.8.7) with ESMTP id MAA15421;
	Fri, 7 May 1999 12:01:50 -0400
Date: Fri, 7 May 1999 12:01:50 -0400 (EDT)
X-Sender: jlewis@redhat1.mmaero.com
To: Gregory A Lundberg <lundberg@vr.net>
cc: Lisa L Berdeja <lberdeja@2xtreme.net>, wu-ftpd@wugate.wustl.edu,
        bugs@redhat.com, linux-security@redhat.com
Subject: Re: Redhat Linux 6.0 Problem
In-Reply-To: <Pine.LNX.4.04.9905071137130.14885-100000@redhat1.mmaero.com>
Message-ID: <Pine.LNX.4.04.9905071158110.14885-100000@redhat1.mmaero.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Status: RO

On Fri, 7 May 1999 jlewis@lewis.org wrote:
> # ldd ./ls
>         /lib/libNoVersion.so.1 => /lib/libNoVersion.so.1 (0x40014000)
>         libc.so.6 => /lib/libc.so.6 (0x4001c000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
> 
> I've never heard of libNoVersion.  All the /home/ftp/bin stuff in 6.0
uses
> it...but it doesn't exist.  Perhaps that's got something to do with
> it...but its odd that the programs work when I chroot there and run them.
> 
> > Oh, and are you using symlinks?  If so, there's your problem. 
Symlinks
> 
> No symlinks except for zcat -> gzip.  This is a standard Red Hat
> installation.  It looks like they just screwed up the wu-ftpd package and
> will probably issue an update sometime soon.  For me, this isn't a huge
> issue.  I'm not using RH 6.0 on production servers yet.  I like to wait
a
> few weeks after new releases and see how much stuff they broke and then
> either wait for the updates or use the source.
I just noticed another really wierd thing.  For some reason the anonftp
package on Red Hat (at least 5.2 and 6.0) that includes the libs and bins
needed for wu-ftpd to work for anonymous FTP includes what seems to be a
copy of /bin/ash as /home/ftp/bin/sh.  Why the heck would they include a
bourne shell in the anon bin directory?

----don't waste your cpu, crack rc5...www.distributed.net team enzo---
 Jon Lewis *jlewis@lewis.org*|  Spammers will be winnuked or 
 System Administrator        |  nestea'd...whatever it takes
 Atlantic Net                |  to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________


From mail@mail.redhat.com Sat May 8 02:48:48 1999
Received: (qmail 7548 invoked from network); 8 May 1999 07:22:35 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 8 May 1999 07:22:34 -0000
Received: from rosie.bitwizard.nl (root@3dyn123.delft.casema.net
[195.96.104.123])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id CAA23163
	for <linux-security@redhat.com>; Sat, 8 May 1999 02:48:48 -0400
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
	by rosie.bitwizard.nl (8.8.8/8.8.8) with ESMTP id IAA07744
	for <linux-security@redhat.com>; Sat, 8 May 1999 08:48:45 +0200
Received: (from wolff@localhost)
	by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00407
	for linux-security@redhat.com; Sat, 8 May 1999 08:48:45 +0200
Received: from pop.vuurwerk.nl
	by localhost with POP3 (fetchmail-4.7.5)
Approved: R.E.Wolff@BitWizard.nl
	for wolff@localhost (single-drop); Sat, 08 May 1999 08:46:09 +0200 (MEST)
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
 (with Cubic Circle's cucipop (v1.31 1998/05/13) Sat May  8 08:46:09 1999)
X-From_: linux-security-request@redhat.com  Sat May  8 08:44:43 1999
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
	by haarlem-2.vuurwerk.nl (8.9.3/8.9.1) with ESMTP id IAA16923
	for <bitwiz@haarlem-2.vuurwerk.nl>; Sat, 8 May 1999 08:44:43 +0200
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
	by leeuwarden.vuurwerk.nl (8.9.2/8.9.1) with SMTP id IAA26215
	for <r.e.wolff@BitWizard.nl>; Sat, 8 May 1999 08:44:42 +0200 (CEST)
Received: (qmail 767 invoked by uid 501); 8 May 1999 07:18:25 -0000
Received: (qmail 12422 invoked from network); 8 May 1999 07:13:14 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 8 May 1999 07:13:14 -0000
Received: from rosie.bitwizard.nl (root@3dyn123.delft.casema.net
[195.96.104.123])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id CAA22314;
	Sat, 8 May 1999 02:39:25 -0400
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
	by rosie.bitwizard.nl (8.8.8/8.8.8) with ESMTP id IAA07685;
	Sat, 8 May 1999 08:39:13 +0200
Received: (from wolff@localhost)
	by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00377;
	Sat, 8 May 1999 08:39:12 +0200
Message-Id: <199905080639.IAA00377@cave.BitWizard.nl>
Subject: Re: Redhat Linux 6.0 Problem
In-Reply-To: <Pine.LNX.4.04.9905071158110.14885-100000@redhat1.mmaero.com>
from "jlewis@lewis.org" at "May 7, 99 12:01:50 pm"
To: jlewis@lewis.org
Date: Sat, 8 May 1999 08:39:12 +0200 (MEST)
Cc: lundberg@vr.net, lberdeja@2xtreme.net, wu-ftpd@wugate.wustl.edu,
        bugs@redhat.com, linux-security@redhat.com
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
X-Mailer: ELM [version 2.4ME+ PL37 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-moderate: yes

jlewis@lewis.org wrote:
> I just noticed another really wierd thing.  For some reason the anonftp
> package on Red Hat (at least 5.2 and 6.0) that includes the libs and bins
> needed for wu-ftpd to work for anonymous FTP includes what seems to be a
> copy of /bin/ash as /home/ftp/bin/sh.  Why the heck would they include a
> bourne shell in the anon bin directory?
I've done "dir patch*" to get a listing of all the patches at
ftp.kernel.org. 

The "*" expansion is something a shell does. My guess is that they
didn't want to duplicate the wildcard expansion into wu-ftpd. 

Note that a shell doesn't have any special privileges. So, indeed for
convenience, exploits regularly do 'exec ("/bin/sh")', but in
fact

	while (1) {
	   read (0, buf, 1024);
	   if (fork ()) exit (exec (buf));
	   wait (...);
	}

is a simple shell-substitiute, and short enough to be carried in an
exploit of a few hundred bytes.

Regards, 

	Roger Wolff.

-- 
** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------


From mail@mail.redhat.com Sat May 8 03:11:09 1999
Received: (qmail 10146 invoked from network); 8 May 1999 07:44:57 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 8 May 1999 07:44:57 -0000
Received: from rosie.bitwizard.nl (root@3dyn123.delft.casema.net
[195.96.104.123])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id DAA24371
	for <linux-security@redhat.com>; Sat, 8 May 1999 03:11:09 -0400
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
	by rosie.bitwizard.nl (8.8.8/8.8.8) with ESMTP id JAA07835
	for <linux-security@redhat.com>; Sat, 8 May 1999 09:11:06 +0200
Received: (from wolff@localhost)
	by cave.BitWizard.nl (8.8.8/8.8.8) id JAA00449
	for linux-security@redhat.com; Sat, 8 May 1999 09:11:05 +0200
Received: from pop.vuurwerk.nl
	by localhost with POP3 (fetchmail-4.7.5)
Approved: R.E.Wolff@BitWizard.nl
	for wolff@localhost (single-drop); Sat, 08 May 1999 09:07:32 +0200 (MEST)
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
 (with Cubic Circle's cucipop (v1.31 1998/05/13) Sat May  8 09:07:31 1999)
X-From_: linux-security-request@redhat.com  Sat May  8 09:05:23 1999
Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl
[194.178.232.19])
	by haarlem-2.vuurwerk.nl (8.9.3/8.9.1) with ESMTP id JAA19240
	for <bitwiz@haarlem-2.vuurwerk.nl>; Sat, 8 May 1999 09:05:23 +0200
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
	by groningen.vuurwerk.nl (8.9.2/8.9.1) with SMTP id JAA26542
	for <r.e.wolff@BitWizard.nl>; Sat, 8 May 1999 09:05:21 +0200 (CEST)
Received: (qmail 692 invoked by uid 501); 8 May 1999 07:38:42 -0000
Received: (qmail 29401 invoked from network); 8 May 1999 07:35:02 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 8 May 1999 07:35:02 -0000
Received: from orakelkasten.klammeraffe.org (orakelkasten.klammeraffe.org
[195.214.69.193])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id DAA23702
	for <linux-security@redhat.com>; Sat, 8 May 1999 03:01:16 -0400
Received: from elektrobarde.klammeraffe.org (elektrobade.ecrc.de [141.1.97.19])
	by orakelkasten.klammeraffe.org (8.8.7/8.8.7/19990210mat) with ESMTP id
JAA01832;
	Sat, 8 May 1999 09:01:12 +0200
Received: (from brandy@localhost)
	by elektrobarde.klammeraffe.org (8.8.7/8.8.7) id IAA14014;
	Sat, 8 May 1999 08:57:46 +0200
Message-ID: <19990508085745.A8798@elektrobarde.klammeraffe.org>
Date: Sat, 8 May 1999 08:57:45 +0200
From: mat -filid brandy <brandy@klammeraffe.org>
To: "Levy Carneiro Jr." <levy@null.net>
Cc: linux-security@redhat.com
Subject: [linux-security] Re: php3 module and security
References: <Pine.LNX.4.10.9905071912500.2891-100000@slave.fractal.com.br>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2
In-Reply-To:
<Pine.LNX.4.10.9905071912500.2891-100000@slave.fractal.com.br>; from Levy
Carneiro Jr. on Fri, May 07, 1999 at 07:19:19PM -0300
X-moderate: yes

Slan,

On Fri, May 07, 1999 at 07:19:19PM -0300, Levy Carneiro Jr.
wrote:
> 	When php3 module is compiled in apache, files in any directory will
> be interpreted by the parser and executed. This is a security breach.
> There is a way to correct this? Any comments?
Read the SAFEMODE part of php3 !!!

Slainte agus saol agat,
	-mat-

--
-mat- filid brandy   brandy@klammeraffe.org   MB210-RIPE
<A HREF="http://www.klammeraffe.org/~brandy/">-mat-
brandy</A>
PGP PUBLIC KEY CODE via finger


From mail@mail.redhat.com Sun May 9 06:38:15 1999
Received: (qmail 10618 invoked from network); 9 May 1999 11:12:38 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 9 May 1999 11:12:38 -0000
Received: from rosie.bitwizard.nl (root@3dyn123.delft.casema.net
[195.96.104.123])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id GAA07534
	for <linux-security@redhat.com>; Sun, 9 May 1999 06:38:15 -0400
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
	by rosie.bitwizard.nl (8.8.8/8.8.8) with ESMTP id MAA15069
	for <linux-security@redhat.com>; Sun, 9 May 1999 12:38:10 +0200
Received: (from wolff@localhost)
	by cave.BitWizard.nl (8.8.8/8.8.8) id MAA00348
	for linux-security@redhat.com; Sun, 9 May 1999 12:38:09 +0200
Received: from pop.vuurwerk.nl
	by localhost with POP3 (fetchmail-4.7.5)
Approved: R.E.Wolff@BitWizard.nl
	for wolff@localhost (single-drop); Sun, 09 May 1999 05:47:01 +0200 (MEST)
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
 (with Cubic Circle's cucipop (v1.31 1998/05/13) Sun May  9 05:47:01 1999)
X-From_: linux-security-request@redhat.com  Sun May  9 05:45:16 1999
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
	by haarlem-2.vuurwerk.nl (8.9.3/8.9.1) with ESMTP id FAA19663
	for <bitwiz@haarlem-2.vuurwerk.nl>; Sun, 9 May 1999 05:45:16 +0200
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
	by leeuwarden.vuurwerk.nl (8.9.2/8.9.1) with SMTP id FAA19308
	for <r.e.wolff@BitWizard.nl>; Sun, 9 May 1999 05:45:15 +0200 (CEST)
Received: (qmail 5378 invoked by uid 501); 9 May 1999 04:19:23 -0000
Received: (qmail 5350 invoked from network); 9 May 1999 04:19:22 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 9 May 1999 04:19:22 -0000
Received: from ns1.mailer.org (mailer.org [199.44.63.2])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id XAA08010
	for <linux-security@redhat.com>; Sat, 8 May 1999 23:45:10 -0400
Received: from localhost (amacc@localhost)
	by ns1.mailer.org (8.8.7/8.8.7) with SMTP id XAA14022;
	Sat, 8 May 1999 23:46:40 -0400
Date: Sat, 8 May 1999 23:46:40 -0400 (EDT)
From: Andrew McRory <amacc@mailer.org>
X-Sender: amacc@ns1.mailer.org
To: linux-security@redhat.com
cc: bugtraq@netspace.org
Subject: OpenLinux 2.2: LISA install leaves root access without password
Message-ID: <Pine.LNX.4.02.9905082300390.13930-100000@ns1.mailer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes


Hello,

I believe I've found a bug in the installation process of OpenLinux 2.2
when using the LISA boot disk. During the installation a temporary passwd
file is put on the new file system containing the user "help" set
uid=0
gid=0 and no password. Once you are prompted to set the root password and
default user password a new passwd and shadow file is created yet the help
user is left in the shadow file with, you guessed it, no password... Here
are the offending entries:

/etc/passwd
        help:x:0:0:install help user:/:/bin/bash

/etc/shadow
        help::10709:0:365:7:7::

Anyone who installed OpenLinux 2.2 using the LISA boot disk should check
their password file now ;-)

I found this using a cdrom I made from a mirror of the mirror at
ftp.tux.org. Just to make sure I wasn't mixed up I redownloaded the
install.144 file from ftp.calderasystems.com and tried again. Same thing.
The install disk is version 137 dated 26Mar99 (displayed on the boot
message).

I wrote Caldera a message late in the day Friday regarding this bug but
haven't heard back from anyone. I've tried to resist posting this until
I
hear back but I really feel people should know now!!

PS: I'm not sure if Lizard, the graphical installation method, has this
problem. It crashes before it does much here.... that's why I tried LISA.

Thanks,



Andrew McRory - amacc@linuxsys.com ***********************************
Linux Systems Engineers / The PC Doctors                             *
3009-C West Tharpe Street - Tallahassee, FL 32303                    *
Voice 850.575.7213 ***************************************************


From mail@mail.redhat.com Sun May 9 16:46:31 1999
Received: (qmail 16477 invoked from network); 9 May 1999 21:21:21 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 9 May 1999 21:21:21 -0000
Received: from rosie.bitwizard.nl (root@3dyn123.delft.casema.net
[195.96.104.123])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id QAA28665
	for <linux-security@redhat.com>; Sun, 9 May 1999 16:46:31 -0400
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
	by rosie.bitwizard.nl (8.8.8/8.8.8) with ESMTP id WAA17702
	for <linux-security@redhat.com>; Sun, 9 May 1999 22:46:22 +0200
Received: (from wolff@localhost)
	by cave.BitWizard.nl (8.8.8/8.8.8) id WAA00710
	for linux-security@redhat.com; Sun, 9 May 1999 22:46:22 +0200
Received: from pop.vuurwerk.nl
	by localhost with POP3 (fetchmail-4.7.5)
Approved: R.E.Wolff@BitWizard.nl
	for wolff@localhost (single-drop); Sun, 09 May 1999 15:24:31 +0200 (MEST)
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
 (with Cubic Circle's cucipop (v1.31 1998/05/13) Sun May  9 15:24:31 1999)
X-From_: linux-security-request@redhat.com  Sun May  9 15:22:49 1999
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
	by haarlem-2.vuurwerk.nl (8.9.3/8.9.1) with ESMTP id PAA21522
	for <bitwiz@haarlem-2.vuurwerk.nl>; Sun, 9 May 1999 15:22:49 +0200
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
	by leeuwarden.vuurwerk.nl (8.9.2/8.9.1) with SMTP id PAA08412
	for <r.e.wolff@BitWizard.nl>; Sun, 9 May 1999 15:22:48 +0200 (CEST)
Received: (qmail 17933 invoked by uid 501); 9 May 1999 13:57:07 -0000
Received: (qmail 17920 invoked from network); 9 May 1999 13:57:06 -0000
Received: from mail.redhat.com (199.183.24.239)
  by lists.redhat.com with SMTP; 9 May 1999 13:57:06 -0000
Received: from ns.lst.de ([194.231.72.65])
	by mail.redhat.com (8.8.7/8.8.7) with ESMTP id JAA30227
	for <linux-security@redhat.com>; Sun, 9 May 1999 09:22:45 -0400
Received: by ns.lst.de (Smail3.2 #1)
	id m10gTQD-000HRkC; Sun, 9 May 1999 15:15:09 +0200 (CEST)
Message-ID: <19990509151509.B7469@lst.de>
Date: Sun, 9 May 1999 15:15:09 +0200
From: Ralf Flaxa <rf@caldera.de>
To: Andrew McRory <amacc@mailer.org>, linux-security@redhat.com
Cc: bugtraq@netspace.org, Ralf Flaxa <rf@caldera.de>
Subject: [linux-security] Re: OpenLinux 2.2: LISA install leaves root access
without password
Reply-To: Ralf Flaxa <rf@caldera.de>
References: <Pine.LNX.4.02.9905082300390.13930-100000@ns1.mailer.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <Pine.LNX.4.02.9905082300390.13930-100000@ns1.mailer.org>;
from Andrew McRory on Sat, May 08, 1999 at 11:46:40PM -0400
Organization: Caldera (Deutschland) GmbH
X-PGP-fingerprint: 6D 02 48 48 87 9C 6A 9C  30 A8 4D 15 AC CA 96 10
X-moderate: yes

Hi Andrew,

We are currently checking whether this is a FTP version only
phenomena or not.

In any case we will make new (old style) LISA images available
this afternoon (MET). Watch for the 138 images. I'll post a
follow-up to this mail when they are available.

Note that *only* the LISA (old style) install is affected.
The lizard (new style, graphical) install is not affected.

To avoid confusion - old style images carry 1xx numbers,
new style images carry 2xx numbers.

If you had to use the old style images, the quick fix
is to remove (after installation) the lines starting with
"help" from /etc/passwd and /etc/shadow.

Until later

	Ralf

On Sat, May 08, 1999 at 11:46:40PM -0400, Andrew McRory
wrote:
> 
> Hello,
> 
> I believe I've found a bug in the installation process of OpenLinux 2.2
> when using the LISA boot disk. During the installation a temporary passwd
> file is put on the new file system containing the user "help" set
uid=0
> gid=0 and no password. Once you are prompted to set the root password and
> default user password a new passwd and shadow file is created yet the help
> user is left in the shadow file with, you guessed it, no password... Here
> are the offending entries:
> 
> /etc/passwd
>         help:x:0:0:install help user:/:/bin/bash
> 
> /etc/shadow
>         help::10709:0:365:7:7::
> 
> Anyone who installed OpenLinux 2.2 using the LISA boot disk should check
> their password file now ;-)
> 
> I found this using a cdrom I made from a mirror of the mirror at
> ftp.tux.org. Just to make sure I wasn't mixed up I redownloaded the
> install.144 file from ftp.calderasystems.com and tried again. Same thing.
> The install disk is version 137 dated 26Mar99 (displayed on the boot
> message).
> 
> I wrote Caldera a message late in the day Friday regarding this bug but
> haven't heard back from anyone. I've tried to resist posting this
until I
> hear back but I really feel people should know now!!
> 
> PS: I'm not sure if Lizard, the graphical installation method, has this
> problem. It crashes before it does much here.... that's why I tried
LISA.
> 
> Thanks,
> 
> 
> 
> Andrew McRory - amacc@linuxsys.com ***********************************
> Linux Systems Engineers / The PC Doctors                             *
> 3009-C West Tharpe Street - Tallahassee, FL 32303                    *
> Voice 850.575.7213 ***************************************************
> 
> -- 
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe:
>   mail -s unsubscribe linux-security-request@redhat.com < /dev/null
-- 
      _____     ___
     /  __/____/  /                Caldera (Deutschland) GmbH
    /  /_/ __  / /__             Lazarettstr. 8, 91054 Erlangen
   /_____//_/ /____/       Dipl. Inf. Ralf Flaxa, email: rf@caldera.de
  ==== /_____/ ======    phone: ++49 9131 8978-23, fax: ++49 9131 8978-22
   Caldera OpenLinux  PGP: 6D 02 48 48 87 9C 6A 9C  30 A8 4D 15 AC CA 96 10

Slan,

On Fri, May 07, 1999 at 07:19:19PM -0300, Levy Carneiro Jr.
wrote:
> 	When php3 module is compiled in apache, files in any directory will
> be interpreted by the parser and executed. This is a security breach.
> There is a way to correct this? Any comments?
Read the SAFEMODE part of php3 !!!

Slainte agus saol agat,
	-mat-

--
-mat- filid brandy   brandy@klammeraffe.org   MB210-RIPE
<A HREF="http://www.klammeraffe.org/~brandy/">-mat-
brandy</A>
PGP PUBLIC KEY CODE via finger

On Fri, 7 May 1999, Levy Carneiro Jr. wrote:
> 
> 	Hi,
> 
> 	When php3 module is compiled in apache, files in any directory will
> be interpreted by the parser and executed. This is a security breach.
> There is a way to correct this? Any comments?
This is simply not true.  Apache does exactly what you tell it to do, and
Apache is the one that invokes PHP.  If you tell Apache to parse any .php3
file as PHP, what you say is (partially) true (only .php3 files will be
executed).  However, like just about any other Apache directive, you can
enable the PHP module on a per directory basis.  Simply have the relevant
AddType inside a <Directory> block.

As for safe-mode, unlike Peter said, safe-mode isn't restricted to the CGI
version only.  It works very well with the Apache module as well.  In
safe-mode, additional code is executed to ensure that only files owned by
the user who ran the script can be opened (among other things).  Note that
this code cannot rely on the uid/euid, since it's almost always
root/nobody.  Instead, it tries to figure out the username according to
the path of the initial file.  For that reason, and since these checks are
not provided at the OS level, I wouldn't consider them bulletproof. 

What Peter may have meant is the option of running the PHP CGI with
su-exec, i.e., actually run the PHP CGI in the context of the user who
owns the script.  While I've never configured PHP to work this way (and
this should involve configuration for each user, which may be a bit of a
headache), this is the most secure way to implement full and standard file
permissions in Apache CGIs (in this particular case, PHP).  You do lose
quite a lot of performance by using the CGI binary and not the Apache
module, though.

Zeev

-- 
-----------------------------------------------------
Zeev Suraski <zeev@zend.com>
For a PGP public key, finger bourbon@netvision.net.il