Bug #41810
Symlinks don't work if open_basedir and suhosin is used
| Status: | Closed | Start date: | 2012-10-09 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | Henjo Hoeksma | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
I know, that doesn't belong in a bug report, but i first wanted to say Neos looks and feels AWESOME. Can't wait until it is finished, it will really rock!
Now to the bug: I tried Neos on my web server, which is secured in many ways, so i use open_basedir and suhosin. After enabling some PHP functions again and pointing to the correct PHP binary (all was told me by the setup dialog), i was able to install Neos, but all images and CSS were missing.
After watching my logs i found this:
suhosin[14166]: ALERT - symlink called during open_basedir (attacker 'REMOTE_ADDR not set', file '/var/www/xxxxxxxx/Data/Temporary/Production/Cache/Code/Flow_Object_Classes/TYPO3_Flow_Resource_Publishing_FileSystemPublishingTarget_Original.php', line 116)
This can be solved by setting
suhosin.executor.allow_symlink = On
in php.ini, then Neos runs just fine after a fresh install.
May be it is not possible to run Neos / Flow without symlinks created by PHP, but at least the setup should check that configuration option.
In general: Is it planned to enable Neos on more secure systems in the future? I am not really happy with allowing exec,system and the suhosin symlink option.
History
#1 Updated by Christian Müller almost 3 years ago
- Project changed from TYPO3.Neos to TYPO3.Flow
#2 Updated by Christian Müller almost 3 years ago
- Subject changed from Neos loses all symlinks if open_basedir and suhosin is used to Symlinks don't work if open_basedir and suhosin is used
- Has patch set to No
- Affected Flow version set to Git 1.2 (master)
#3 Updated by Christian Müller almost 3 years ago
- Project changed from TYPO3.Flow to TYPO3.Setup
#4 Updated by Karsten Dambekalns over 2 years ago
Tim Eilers wrote:
I know, that doesn't belong in a bug report, but i first wanted to say Neos looks and feels AWESOME. Can't wait until it is finished, it will really rock!
Thanks!
May be it is not possible to run Neos / Flow without symlinks created by PHP, but at least the setup should check that configuration option.
No, Flow will always need symlinks. A check can be added, though.
In general: Is it planned to enable Neos on more secure systems in the future? I am not really happy with allowing exec,system and the suhosin symlink option.
Security is not a problem of exec, system and symlink. Illegal use of those is a problem. Anyway, if you lock down permissions enough, even that should be something that is of low risk.
#5 Updated by Aske Ertmann over 2 years ago
- Status changed from New to Accepted
- Priority changed from -- undefined -- to Should have
This bugfix should be about checking for symlink creation during the setup system check.
#7 Updated by Henjo Hoeksma 10 months ago
- Status changed from Accepted to Closed