Red Hat Bugzilla – Bug 1228721
CVE-2015-3211 php: php-fpm package vulnerable to symlink attack
Last modified: 2016-01-22 05:03:38 EST
It was reported that php-fpm package is vulnerable to symlink attack: # ls -lad /var/log/php-fpm drwxrwx--- 2 apache root 4096 May 28 18:53 /var/log/php-fpm https://git.centos.org/blob/rpms!php/4b401fd4915cda3a1a336902afad4e5321859c32/SPECS!php.spec#L1409 %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm After installing php-fpm package, any software running under apache user can create symlink /var/log/php-fpm/error.log pointing to any file. After starting php-fpm service - file pointed by symlink will be appended by php-fpm log output. If a file did not exist before - it will be created. This issue only exist for a short time - after php-fpm package install and before php-fpm process is started for the first time. Exiting working configurations are not affected by this issue. Steps to reproduce: - make sure you don't have php-fpm leftovers: # rm -rf /var/log/php-fpm - install php-fpm: # dnf install php-fpm - as an 'apache' user create an evil symlink: # su -s /bin/bash - apache $ ln -s /root/.bashrc /var/log/php-fpm/error.log - start php-fpm process: # systemctl start php-fpm - look at the contents of /root/.bashrc file (php-fpm error log output will be appended there) # cat /root/.bashrc
log files inside /var/log/php-fpm dir has owner root:root and permissions 0600 - so only root can read or write these php-fpm log files: # ls -la /var/log/php-fpm total 44 drwxrwx--- 2 apache root 4096 Jun 8 03:16 . drwxr-xr-x 5 root root 4096 Jun 8 03:16 .. -rw------- 1 root root 56 Jun 8 03:16 error.log -rw------- 1 root root 19894 May 31 02:45 error.log-20150531 -rw------- 1 root root 6692 Jun 4 18:12 error.log-20150608 -rw------- 1 root root 0 May 25 18:44 www-slow.log fix of this symlink attack vulnerability is trivial: - %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm + %attr(770,root,root) %dir %{_localstatedir}/log/php-fpm or even - %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm + %attr(700,root,root) %dir %{_localstatedir}/log/php-fpm why "WONTFIX" ?
Main log files are created by the main process, so are owned by root. But pool log files are created by the user of the pool (apache in default configuration), which explain the directory onwership.
(In reply to Gena Makhomed from comment #2) > log files inside /var/log/php-fpm dir has owner root:root > and permissions 0600 - so only root can read or write these php-fpm log > files: > > # ls -la /var/log/php-fpm > total 44 > drwxrwx--- 2 apache root 4096 Jun 8 03:16 . > drwxr-xr-x 5 root root 4096 Jun 8 03:16 .. > -rw------- 1 root root 56 Jun 8 03:16 error.log > -rw------- 1 root root 19894 May 31 02:45 error.log-20150531 > -rw------- 1 root root 6692 Jun 4 18:12 error.log-20150608 > -rw------- 1 root root 0 May 25 18:44 www-slow.log > > fix of this symlink attack vulnerability is trivial: > > - %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm > + %attr(770,root,root) %dir %{_localstatedir}/log/php-fpm > > or even > > - %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm > + %attr(700,root,root) %dir %{_localstatedir}/log/php-fpm > > why "WONTFIX" ? As Remi mentioned in comment#3, the change you proposed will render default configuration unusable. Taking that the impact of this issue is low-to-none due to very specific pre-conditions - the decision was not to fix it at this time.
Acknowledgements: Red Hat would like to thank Gena Makhomed for reporting this issue.