From owner-freebsd-ports@FreeBSD.ORG Thu Sep 10 19:11:05 2009 Return-Path: Delivered-To: freebsd-ports@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 409F21065692 for ; Thu, 10 Sep 2009 19:11:05 +0000 (UTC) (envelope-from piotr.smyrak@heron.pl) Received: from sys.heron.com.pl (mail.heron.pl [89.174.255.19]) by mx1.freebsd.org (Postfix) with ESMTP id 03A898FC1D for ; Thu, 10 Sep 2009 19:11:04 +0000 (UTC) Received: from [127.0.0.1] (helo=poczta.heron.pl) by sys.heron.com.pl with esmtp (Exim 4.69) (envelope-from ) id 1Mlp2r-000KSP-0S for freebsd-ports@FreeBSD.org; Thu, 10 Sep 2009 21:11:01 +0200 From: piotr.smyrak@heron.pl To: freebsd-ports@FreeBSD.org Date: Thu, 10 Sep 2009 21:11:00 +0200 Message-Id: <20090910191101.M55014@heron.pl> In-Reply-To: <200909101850.n8AIo265071380@freefall.freebsd.org> References: <200909101850.n8AIo265071380@freefall.freebsd.org> X-Mailer: WebMail at HERON 2.52 20060502 X-OriginatingIP: 217.153.67.210 (smyru) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Cc: Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2009 19:11:05 -0000 On Thu, 10 Sep 2009 18:50:02 GMT, Miroslav Lachman wrote > The following reply was made to PR ports/138698; it has > been noted by GNATS. > > From: Miroslav Lachman <000.fbsd@quip.cz> > To: bug-followup@FreeBSD.org, andzinsm@volt.iem.pw.edu.pl > Cc: > Subject: Re: ports/138698: lang/php5: PHP > session.save_path vulnerability > Date: Thu, 10 Sep 2009 20:49:14 +0200 > > Yes, it is clear now and with owner root, it works. > > I propose to make this optional, as somebody has /tmp > optimized for better speed (another disk device, flash > device, RAM disk etc.) but not /var/lib/php5. And FreeBSD > doesn't have /var/lib by default. /var/lib/* is mostly > used by some Linux distributions). I am not sure if it is > the right place to put these files, according to man > hier(7). Next thing to think about is, that /tmp is (or > easily can be) cleared at system startup, but /var/*/* > not. If we do some change in default php.ini, it affects > more then just "files are moved to another place", so > things need to be done carefully. > > Maybe leave the default as is and put these hardening > steps in comments in php.ini, then anybody can make own decision. UPDATING msg would be in place, too IMO. -- Piotr Smyrak piotr.smyrak@heron.pl