[dev.icinga.com #12160] make it possible to do more hardening with Icinga Web2

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/12160

Created by calestyo on 2016-07-16 01:19:36 +00:00

Assignee: (none) Status: New Target Version: (none) Last Update: 2016-07-16 22:49:49 +00:00 (in Redmine)

---

Hi.

I think it should be possible to allow people doing more hardening with Icinga Web2, i.e. especially on the PHP basis. E.g. using open_basedir.

Ideally there should be a maintained list of such directories that Icinga Web2 will actually require to open...

Right now (I basically try do determine that list via trial&error), one problem seems that the code actually opens /usr/share/php itself, for which I see really not much reason. E.g. Apache complains then: PHP Warning: realpath(): open_basedir restriction in effect. File(/usr/share/php) is not within the allowed path(s): (/usr/share/icingaweb2:/usr/share/php/Icinga) in /usr/share/php/Icinga/Application/ApplicationBootstrap.php on line 136 PHP Warning: require(/Icinga/Application/ClassLoader.php): failed to open stream: No such file or directory in /usr/share/php/Icinga/Application/ApplicationBootstrap.php on line 347 PHP Fatal error: require(): Failed opening required '/Icinga/Application/ClassLoader.php' (include_path='.:/usr/share/php') in /usr/share/php/Icinga/Application/ApplicationBootstrap.php on line 347

and only if I add all /usr/share/php to the open_basedir, it works. However this makes much of the hardening pointless, as one goal should be trying to allow access to only such php code there, which it actually uses/needs.

Could you do something about that?

Thanks, Chris.

[icinga-migration]

Updated by calestyo on 2016-07-16 01:30:07 +00:00

That feature request of course also includes to tell which PHP extensions are needed.

This is already partially documented (in https://github.com/Icinga/icingaweb2/blob/master/doc/02-Installation.md e.g. that "PHP >= 5.3.0 w/ gettext, intl and OpenSSL support")... but it e.g. doesn't tell that ldap is not strictly required and especially it doesn't tell which of the "common" modules are necessary. E.g. Debian ships these:

• pdo
• calendar
• ctype
• exif
• fileinfo
• ftp
• gettext
• iconv
• phar
• posix
• shmop
• sockets
• sysvmsg
• sysvsem
• sysvshm
• tokenizer in their -common package and these:
• opcache
• json
• readline are more or less automatically installed as well.

Would be great to know, which one of those are actually required to be enabled. :)

[icinga-migration]

Updated by calestyo on 2016-07-16 02:03:46 +00:00

Another case…

It seems IcingaWeb2 uses $tmpDir . '/FileCache_' . $name e.g. /tmp/FileCache_icingaweb

First this look kinda susceptible to tmp-file hacking? (Though I haven't checked your code, whether it safely fails if someone would have already created that dir.)

Second, again, this requires one to give full access to /tmp to PHP, something which I'd rather not want to do. Can't you use some static location for that, e.g. some /var/lib/icingaweb2/tmp/* ?

[icinga-migration]

Updated by calestyo on 2016-07-16 22:49:49 +00:00

Another case… from within the Icinga Web2 (after setup has completed), when e.g. trying to change a user's preferences, PHP directly tries to access /etc. No real reason to do so, please avoid.

[mejo-]

I hit the same bug when trying to create a new dashboard. We have open_basedir() restrictions in place (with /etc/icingaweb2 in the whitelist).

When the target file (/etc/icingaweb2/dashboards/user/dashboard.ini) doesn't exist, Icingaweb2 seems to do is_dir('/etc/') first, which is forbidden by the open_basedir() restrictions.

Maybe a better approach would be to go downwards the filesystem hierarchy (starting with /etc/icingaweb2/dashboards/user/), not upwards (starting with /etc/).

is_dir(): open_basedir restriction in effect. File(/etc/) is not within the allowed path(s): (/var/www/monitor.example.org/www/:/var/www/monitor.example.org/tmp/:/usr/share/php:/tmp/:/etc/icingaweb2/:/usr/share/icingaweb2/application/:/usr/share/icingaweb2/library/vendor/:/usr/share/icingaweb2/modules/:/usr/share/icingaweb2/public/)