Re: FTBFS if "-Werror=format-security" flag is used

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 06.12.2013 15:59, schrieb Ralf Corsepius:
> On 12/06/2013 02:57 PM, Reindl Harald wrote:

>> if arbitary users are allowed to call CLI applications from a webserver
> ?!? Calling cli-tools underneath of webservices is the norm on many webservers. Often these calls are wrapped into
> scripting languages, be they perl, python or php.

what "?!?"
if you allow call any CLI command on a webserver you have a serious problem - period

in case of PHP open_basedir is your friend and without "disable_functions" it is
completly worthless, so don't mix wrong configured webservers with the topic

disable_functions = "apache_child_terminate, chown, dl, exec, fileinode, get_current_user, getmypid, getmyuid,
getrusage, highlight_file, link, mail, openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork,
pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask,
pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus,
pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen,
posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, proc_close, proc_get_status, proc_nice,
proc_open, proc_terminate, shell_exec, show_source, socket_accept, socket_bind, symlink, syslog, system"

>> you have a security problem and that is for sure *not* TmpOnTmpfs
> TmpOnTmpfs opens opportunities for DOS attacks which do not exist with TmpOnFS

if i have to chose between a *self* DOS because wrong webserver-capabilities and
code execution what -Werror=format-security should prevent from i take the DOS
and on a sane configured webserver you have a dedicated /tmp partition what
means TmpOnTmpfs doesn not matter at all



Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux