Since APC is host based allowing access to the status page is a very bad idea. Why? Because if the drupal site gets compromised, you compromise all other sites running on the same host. Imagine someone playing with the Clean OpCode Cache
button. How will the host and other sites react? It can make all sites on the host unresponsive.
I would never use such a thing in any site, or recommend that someone uses it. But at least place some sort of authentication in front of the APC status page. Minimally, request the password again for accessing the APC status page.
Better yet/alternatively, without requiring any code whatsoever, provide instructions for placing basic authentication at the server level when accessing admin/reports/status/apc
.
Comment | File | Size | Author |
---|---|---|---|
#10 | 1344194-permissions.patch | 821 bytes | cafuego |
Comments
Comment #1
gregglesI can see the benefit of requiring a re-authentication before visiting the page, but that should be provided by another module which could do that in a more generic manner.
For the "basic authentication" solution - what should the instructions say in terms of who to give that password to? What do you see as the benefit of basic authentication compared to Drupal's authentication system?
Perhaps an alternative is simply a warning in the pre-installation documentation about what kinds of environments are or are not appropriate to install this module?
Comment #2
perusio CreditAttribution: perusio commentedhtpasswd
orthtpasswd.
As a stopgap I agree. In bold on the project page accompanied by a proper README. But if the author wants do fix this issue I think that any of the above suggested solutions is a better approach IMHO.
Comment #3
gregglesCan you help draft the changes you'd like to see? What aspects of access to the page make it a problem - just the "Clean OpCode Cache" button or other parts?
Comment #4
bfroehle CreditAttribution: bfroehle commentedFYI, I added a basic README with your text in 91e50bd. Is it strongly worded enough?
In the mean time I've removed the download link on the main page until we can agree on a warning message of your liking.
Comment #5
bfroehle CreditAttribution: bfroehle commentedI think this is a pretty contrived possibility. If an attacker has compromised a Drupal site there are already ways to make the host unresponsive (e.g., just flush the Drupal caches repeatedly) and if the attacker has the ability to execute arbitrary PHP code nothing would stop them from calling
apc_clear_cache()
or even running the apc.php script itself.Nonetheless, you are correct that this module should not be run in all circumstances.
This sounds like a reasonable compromise to me. Can I have some help with the drafting this language?
Comment #6
perusio CreditAttribution: perusio commentedHello,
Sure thing. Later today I'll fork your repo and add:
I'll push it to a sandbox of mine and to github also.
How's that?
Comment #7
gregglesIt can be markdown, but d.o doesn't do anything special with markdown so it's not super useful of pointless.
I mostly agree with @bfroehle regarding using this in an abusive way. If someone has compromised an account on a Drupal site with "administer site configuration" then they can already take it over in a variety of ways. It's true that this would let them take down the whole server whereas "administer site configuration" is just about messing with the current site however on most sites, someone with "administer site configuration" would also have things like "administer users" and/or "use php for block visibility" which would lead to the exploits in the way @bfroehle mentioned. I think the best thing is a solid warning in the README.txt to remind folks that "administer site configuration" should not be given out lightly which, afaict, has mostly been done (though it could be extended).
Comment #8
bfroehle CreditAttribution: bfroehle commentedSounds great! Thanks all!
Comment #9
cafuego CreditAttribution: cafuego commentedIt might be an idea to add an extra permission specifically for the APC report callback and (in D7 at least) set the
restrict access
option on that permission. That way an extra warning is shown on the permissions page.Comment #10
cafuego CreditAttribution: cafuego commentedIt might be an idea to add an extra permission specifically for the APC report callback and (in D7 at least) set the
restrict access
option on that permission. That way an extra warning is shown on the permissions page (as per attached patch).it doesn't really add extra security, but should make site maintainers think before granting said permission.
Comment #11
bfroehle CreditAttribution: bfroehle commentedThanks for your patience, I just got home from a vacation. I've committed your patch in #10 to the 7.x-1.x branch.
Comment #12
bfroehle CreditAttribution: bfroehle commentedShould this be backported to 6.x-1.x?
Comment #13
greggles6.x-1.x doesn't have the same feature, so you can only add a note to README.txt and make the name of the permission scary.
Comment #13.0
gregglesCorrected typo.