ports/138698: lang/php5: PHP session.save_path vulnerability
Miroslav Lachman
000.fbsd at quip.cz
Thu Sep 10 18:50:03 UTC 2009
The following reply was made to PR ports/138698; it has been noted by GNATS.
From: Miroslav Lachman <000.fbsd at quip.cz>
To: bug-followup at FreeBSD.org, andzinsm at volt.iem.pw.edu.pl
Cc:
Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability
Date: Thu, 10 Sep 2009 20:49:14 +0200
Yes, it is clear now and with owner root, it works.
I propose to make this optional, as somebody has /tmp optimized for
better speed (another disk device, flash device, RAM disk etc.) but not
/var/lib/php5.
And FreeBSD doesn't have /var/lib by default. /var/lib/* is mostly used
by some Linux distributions). I am not sure if it is the right place to
put these files, according to man hier(7).
Next thing to think about is, that /tmp is (or easily can be) cleared at
system startup, but /var/*/* not.
If we do some change in default php.ini, it affects more then just
"files are moved to another place", so things need to be done carefully.
Maybe leave the default as is and put these hardening steps in comments
in php.ini, then anybody can make own decision.
More information about the freebsd-ports
mailing list