View Issue Details

IDProjectCategoryView StatusLast Update
0003771Composrcore_upgraderpublic2019-06-27 19:01
ReporterChris GrahamAssigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status non-assignedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0003771: Better "excessive file permissions" detection
DescriptionThe excessive file permissions checker currently only checks when non-suEXEC servers have files/directories chmodded as world-writable that don't need to be (hence lowering security as any other web server user may potentially have write access).

Actually there's a more important check we should do. For suEXEC servers, find any files/directories that are world-writable - none should be. Some Apache servers will give 500 errors if PHP files being called up are.

Really we might want to approach this in an absolutist way - knowing, for a particular server's architecture, what every files permissions should be - and correcting it to that. There's no need for example to have executable set on PHP files, unless the server needs that.
Additional InformationI changed the current test line for a user, to hack the main new use case described here, and it worked...

if ((php_function_allowed('posix_getuid')) && ((fileperms($dir . $file) & 2) != 0) && (fileowner($dir . $file) == posix_getuid())) {
TagsRoadmap: v11
Attach Tags
Time estimation (hours)4
Sponsorship open

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-02-07 16:13 Chris Graham New Issue
2019-06-27 19:01 Chris Graham Tag Attached: Roadmap: v11