Bug #41810

Symlinks don't work if open_basedir and suhosin is used

Added by Tim Eilers about 7 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Target version:
-
Start date:
2012-10-09
Due date:
% Done:

0%


Description

I know, that doesn't belong in a bug report, but i first wanted to say Neos looks and feels AWESOME. Can't wait until it is finished, it will really rock!

Now to the bug: I tried Neos on my web server, which is secured in many ways, so i use open_basedir and suhosin. After enabling some PHP functions again and pointing to the correct PHP binary (all was told me by the setup dialog), i was able to install Neos, but all images and CSS were missing.

After watching my logs i found this:

suhosin[14166]: ALERT - symlink called during open_basedir (attacker 'REMOTE_ADDR not set', file '/var/www/xxxxxxxx/Data/Temporary/Production/Cache/Code/Flow_Object_Classes/TYPO3_Flow_Resource_Publishing_FileSystemPublishingTarget_Original.php', line 116)

This can be solved by setting

suhosin.executor.allow_symlink = On

in php.ini, then Neos runs just fine after a fresh install.

May be it is not possible to run Neos / Flow without symlinks created by PHP, but at least the setup should check that configuration option.

In general: Is it planned to enable Neos on more secure systems in the future? I am not really happy with allowing exec,system and the suhosin symlink option.

History

#1 Updated by Christian Müller about 7 years ago

  • Project changed from TYPO3.Neos to TYPO3.Flow

#2 Updated by Christian Müller about 7 years ago

  • Subject changed from Neos loses all symlinks if open_basedir and suhosin is used to Symlinks don't work if open_basedir and suhosin is used
  • Has patch set to No

#3 Updated by Christian Müller about 7 years ago

  • Project changed from TYPO3.Flow to TYPO3.Setup

#4 Updated by Karsten Dambekalns about 7 years ago

Tim Eilers wrote:

I know, that doesn't belong in a bug report, but i first wanted to say Neos looks and feels AWESOME. Can't wait until it is finished, it will really rock!

Thanks!

May be it is not possible to run Neos / Flow without symlinks created by PHP, but at least the setup should check that configuration option.

No, Flow will always need symlinks. A check can be added, though.

In general: Is it planned to enable Neos on more secure systems in the future? I am not really happy with allowing exec,system and the suhosin symlink option.

Security is not a problem of exec, system and symlink. Illegal use of those is a problem. Anyway, if you lock down permissions enough, even that should be something that is of low risk.

#5 Updated by Aske Ertmann over 6 years ago

  • Status changed from New to Accepted
  • Priority changed from -- undefined -- to Should have

This bugfix should be about checking for symlink creation during the setup system check.

#6 Updated by Henjo Hoeksma about 5 years ago

  • Assignee set to Henjo Hoeksma

Moving to Jira

#7 Updated by Henjo Hoeksma about 5 years ago

  • Status changed from Accepted to Closed

Also available in: Atom PDF