Date: Thu, 10 Sep 2009 21:11:00 +0200 From: piotr.smyrak@heron.pl To: freebsd-ports@FreeBSD.org Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Message-ID: <20090910191101.M55014@heron.pl> In-Reply-To: <200909101850.n8AIo265071380@freefall.freebsd.org> References: <200909101850.n8AIo265071380@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Sep 2009 18:50:02 GMT, Miroslav Lachman wrote > The following reply was made to PR ports/138698; it has > been noted by GNATS. > > From: Miroslav Lachman <000.fbsd@quip.cz> > To: bug-followup@FreeBSD.org, andzinsm@volt.iem.pw.edu.pl > Cc: > Subject: Re: ports/138698: lang/php5: PHP > session.save_path vulnerability > Date: Thu, 10 Sep 2009 20:49:14 +0200 > > Yes, it is clear now and with owner root, it works. > > I propose to make this optional, as somebody has /tmp > optimized for better speed (another disk device, flash > device, RAM disk etc.) but not /var/lib/php5. And FreeBSD > doesn't have /var/lib by default. /var/lib/* is mostly > used by some Linux distributions). I am not sure if it is > the right place to put these files, according to man > hier(7). Next thing to think about is, that /tmp is (or > easily can be) cleared at system startup, but /var/*/* > not. If we do some change in default php.ini, it affects > more then just "files are moved to another place", so > things need to be done carefully. > > Maybe leave the default as is and put these hardening > steps in comments in php.ini, then anybody can make own decision. UPDATING msg would be in place, too IMO. -- Piotr Smyrak piotr.smyrak@heron.pl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090910191101.M55014>