Date: Thu, 10 Sep 2009 18:50:02 GMT From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-ports@FreeBSD.org Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Message-ID: <200909101850.n8AIo265071380@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/138698; it has been noted by GNATS. From: Miroslav Lachman <000.fbsd@quip.cz> To: bug-followup@FreeBSD.org, andzinsm@volt.iem.pw.edu.pl Cc: Subject: Re: ports/138698: lang/php5: PHP session.save_path vulnerability Date: Thu, 10 Sep 2009 20:49:14 +0200 Yes, it is clear now and with owner root, it works. I propose to make this optional, as somebody has /tmp optimized for better speed (another disk device, flash device, RAM disk etc.) but not /var/lib/php5. And FreeBSD doesn't have /var/lib by default. /var/lib/* is mostly used by some Linux distributions). I am not sure if it is the right place to put these files, according to man hier(7). Next thing to think about is, that /tmp is (or easily can be) cleared at system startup, but /var/*/* not. If we do some change in default php.ini, it affects more then just "files are moved to another place", so things need to be done carefully. Maybe leave the default as is and put these hardening steps in comments in php.ini, then anybody can make own decision.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909101850.n8AIo265071380>