FTBFS if "-Werror=format-security" flag is used

Reindl Harald h.reindl at thelounge.net
Sat Dec 7 02:39:04 UTC 2013 


Am 06.12.2013 15:59, schrieb Ralf Corsepius:
> On 12/06/2013 02:57 PM, Reindl Harald wrote:

>> if arbitary users are allowed to call CLI applications from a webserver
> ?!? Calling cli-tools underneath of webservices is the norm on many webservers. Often these calls are wrapped into
> scripting languages, be they perl, python or php.

what "?!?"
if you allow call any CLI command on a webserver you have a serious problem - period

in case of PHP open_basedir is your friend and without "disable_functions" it is
completly worthless, so don't mix wrong configured webservers with the topic

disable_functions = "apache_child_terminate, chown, dl, exec, fileinode, get_current_user, getmypid, getmyuid,
getrusage, highlight_file, link, mail, openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork,
pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask,
pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus,
pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen,
posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, proc_close, proc_get_status, proc_nice,
proc_open, proc_terminate, shell_exec, show_source, socket_accept, socket_bind, symlink, syslog, system"

>> you have a security problem and that is for sure *not* TmpOnTmpfs
> TmpOnTmpfs opens opportunities for DOS attacks which do not exist with TmpOnFS

if i have to chose between a *self* DOS because wrong webserver-capabilities and
code execution what -Werror=format-security should prevent from i take the DOS
and on a sane configured webserver you have a dedicated /tmp partition what
means TmpOnTmpfs doesn not matter at all



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20131207/f9bde84d/attachment.sig>

More information about the devel mailing list