Modify

Opened 6 years ago

Closed 4 years ago

Last modified 3 years ago

#10638 closed enhancement (wontfix)

package php5-cgi should be moved to a safer location

Reported by: oliver@… Owned by: mhei
Priority: lowest Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: Cc:

Description

package php5 installs php5-cgi into /usr/bin, /usr/share/php-bin/ might be a better (safer) destination.

Attachments (2)

php5-cgi_10638.patch (618 bytes) - added by oliver@… 6 years ago.
Move php5 to a safer location
php5-cgi_10638.2.patch (618 bytes) - added by oliver@… 6 years ago.
Move php-cgi to a safer location

Download all attachments as: .zip

Change History (13)

comment:1 Changed 6 years ago by anonymous

Why do you need this? None of the binaries exist in /usr/share by now, and many of OpenWrt packages installs their binaries to /usr/bin.
What about safety and secutiry - I'd rather suggest running php-cgi as user "nobody", but currently it is running as "root" in init script. Changing this would surely add more safety for the whole system.

Changed 6 years ago by oliver@…

Move php5 to a safer location

Changed 6 years ago by oliver@…

Move php-cgi to a safer location

comment:2 Changed 6 years ago by oliver@…

In my aforementioned patch I suggest to move php5 and php5-cgi to a safer location. While I still stand behind this choice (it is where the howto's 'expect' them to be on the openwrt wiki) php-fcgi doesn't need to be moved. It is run as a daemon and access to /usr/bin shouldn't be an issue for it. If I'm wrong or you dissagree, please do say so and leave it in /usr/share. If done so however, the php-fcgi init script needs to be modified to reflect this change ;)

comment:3 Changed 6 years ago by oliver@…

Also, it should be mentioned that if php-fcgi is kept in /usr/bin rather then /use/share, the symlink should point to the /usr/share binary.

ln -sf $(1)/usr/share/php-bin/php-cgi $(1)/usr/bin/php-fcgi

comment:4 Changed 5 years ago by florian

  • Owner changed from developers to mhei
  • Status changed from new to assigned

comment:5 Changed 5 years ago by mhei

  • Resolution set to wontfix
  • Status changed from assigned to closed

While I might still miss something I don't get the point of moving the binaries. And I did not find howtos on the wiki which expects the binaries there.

comment:6 Changed 5 years ago by anonymous

  • Resolution wontfix deleted
  • Status changed from closed to reopened

http://wiki.openwrt.org/doc/howto/lamp

But the problem is, that if you do not use fcgi (the daemonized version) you give php full access to /usr/bin. It is considered a security issue. Having it by default in /usr/share

http://webapps-common.alioth.debian.org/draft-php/html/ch-php-int.html

So by keeping it in /usr/share/php we're being more standard compliant?

comment:7 Changed 5 years ago by mhei

A quote from your second link:

-snip-
2.2.1 PHP executable binaries


[...]

The "cgi" packages similarly provide the binaries as /usr/bin/phpPHPVERSION-cgi.

[...]

2.2.2 Default include path

The default PHP include path is: .:/etc/php:/usr/local/share/php/5.0:/usr/share/php5:/usr/share/php/5.0:/usr/share/php:/usr/local/share/php

[...]

/usr/share/php is for all PHP libraries packaged as part of Debian.
[...]
-snap-

So do you mix up these two things? Running the binary from /usr/bin doesn't expose this directory. So please explain in detail where do you see security problems. (I do not disclaim that running php as root user is potential risky - but hey, when you use it on an embedded system with limited ressources etc - you should know why you are doing this)

comment:8 Changed 5 years ago by mhei

  • Resolution set to no_response
  • Status changed from reopened to closed

comment:9 Changed 4 years ago by bcus

  • Resolution no_response deleted
  • Status changed from closed to reopened

It should be moved i guess..why? i am not experienced enough to say..

Quote from Wiki: http://wiki.openwrt.org/doc/howto/http.apache
NOTE: The /usr/bin directory contains far more than just php-cgi. On a public server it could be wise to move php-cgi to its own directory and then configure Apache to use that separate directory instead!

comment:10 Changed 4 years ago by nbd

  • Resolution set to wontfix
  • Status changed from reopened to closed

If you want to use apache and configure it this way, you can create a symlink if you like.

comment:11 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.