Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-24796

eZ Publish 5.4 installation documentation update with regards to security vulnerability CVE-2015-5723

    XMLWordPrintable

Details

    Description

      The eZ Publish 5.4 installation documentation should be updated in the context of security vulnerability CVE-2015-5723 (http://www.doctrineproject.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html).

      The problem addressed in CVE-2015-5723 is that cache files are generated which contains executable code. So anyone being able to write to those cache files are able to execute code as web user. So if the customer do not trust their LDAP users, those LDAP users cannot have write access to those directories and files.

      Nevertheless, there are specific cases when it is required to have web users and LDAP users to be able to write to those files. One possible approach is to:

      1. Add a new group, which web users and all LDAP users are a member of;
      2. Restart web service (in order to activate the new group assignment for the web service);
      3. Chmod 770 on the files and directories;
      4. Set the SGID bit on all the directories (not files): "chmod g+s.......";
      5. Set group ownership on all files/directories to the group created in #1 ("chown :mygroup ....");
      

      The SGID bit will ensure all new files/directories created will be owned by the group created in #1 ( no mater who actually creates the file ).

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              nuno.oliveira-obsolete@ez.no Nuno Oliveira (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: