Bug 1228721 (CVE-2015-3211)
| Summary: | CVE-2015-3211 php: php-fpm package vulnerable to symlink attack | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | bleanhar, ccoleman, dmcphers, fedora, jdetiber, jialiu, jkeck, jliggitt, jokerman, jorton, jrusnack, kseifried, lmeyer, makhomed, mmaslano, mmccomas, rcollet, security-response-team, webstack-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-06-08 04:02:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1228725 | ||
|
Description
Vasyl Kaigorodov
2015-06-05 14:08:25 UTC
log files inside /var/log/php-fpm dir has owner root:root
and permissions 0600 - so only root can read or write these php-fpm log files:
# ls -la /var/log/php-fpm
total 44
drwxrwx--- 2 apache root 4096 Jun 8 03:16 .
drwxr-xr-x 5 root root 4096 Jun 8 03:16 ..
-rw------- 1 root root 56 Jun 8 03:16 error.log
-rw------- 1 root root 19894 May 31 02:45 error.log-20150531
-rw------- 1 root root 6692 Jun 4 18:12 error.log-20150608
-rw------- 1 root root 0 May 25 18:44 www-slow.log
fix of this symlink attack vulnerability is trivial:
- %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm
+ %attr(770,root,root) %dir %{_localstatedir}/log/php-fpm
or even
- %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm
+ %attr(700,root,root) %dir %{_localstatedir}/log/php-fpm
why "WONTFIX" ?
Main log files are created by the main process, so are owned by root. But pool log files are created by the user of the pool (apache in default configuration), which explain the directory onwership. (In reply to Gena Makhomed from comment #2) > log files inside /var/log/php-fpm dir has owner root:root > and permissions 0600 - so only root can read or write these php-fpm log > files: > > # ls -la /var/log/php-fpm > total 44 > drwxrwx--- 2 apache root 4096 Jun 8 03:16 . > drwxr-xr-x 5 root root 4096 Jun 8 03:16 .. > -rw------- 1 root root 56 Jun 8 03:16 error.log > -rw------- 1 root root 19894 May 31 02:45 error.log-20150531 > -rw------- 1 root root 6692 Jun 4 18:12 error.log-20150608 > -rw------- 1 root root 0 May 25 18:44 www-slow.log > > fix of this symlink attack vulnerability is trivial: > > - %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm > + %attr(770,root,root) %dir %{_localstatedir}/log/php-fpm > > or even > > - %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm > + %attr(700,root,root) %dir %{_localstatedir}/log/php-fpm > > why "WONTFIX" ? As Remi mentioned in comment#3, the change you proposed will render default configuration unusable. Taking that the impact of this issue is low-to-none due to very specific pre-conditions - the decision was not to fix it at this time. Acknowledgements: Red Hat would like to thank Gena Makhomed for reporting this issue. |