Hi,
sorry for delay. I've traveled. I see the problem(s) and I took a look into the patch. >From the first look, I don't like the proposed solution. It makes things a bit better, but can't solve shared-hosting configuration problems. It doesn't solve even the simple chroot file resolution problem in general (one user ma have few chroot environments with conflicting file names). I'm not sure, if it's possible to make chroot on Windows, so why we need to add windows user names? The patch introduces syscall in the hot function (this may be optimized). I'm open for discussion and may change my mind. I'll also try to find a better solution. Any suggestions are welcome. Thanks. Dmitry. ________________________________ From: php-...@coydogsoftware.net <php-...@coydogsoftware.net> Sent: Friday, November 4, 2016 2:00:03 PM To: internals@lists.php.net Cc: Dmitry Stogov Subject: [PATCH] opcache bug #69090, prepend user identifier to keys Hello, I'm CCing Dmitry Stogov as maintainer because he's listed as an author in ext/opcache/ZendAccelerator.c and has recent commits. I've attached a patch for bug #69090. You can find a more detailed writeup at https://bugs.php.net/bug.php?id=69090 . In short, the patch adds EUID or Windows username at the beginning of OPCache keys to prevent cross-user cache access, which will hopefully alleviate security concerns of enabling OPCache on shared hosting servers. I took this in a different direction than that proposed in bug #69090 (prepending inode to key) because I feel it more effectively addresses the cross-user security concerns. I don't have a test script yet because the change is transparent to scripts, but I could probably cobble one together by checking OPCache debug log for key names. I do intend to port this forward to PHP7 head, but in my opinion the existing behavior in 5.6 is a serious vulnerability which warrants a maintenance patch. If needed I can provide working exploit scripts to demonstrate how bad the existing behavior is for shared servers using OPCache. I was hoping to get some feedback before I put in the effort to port this to PHP7. Thanks, -- - php-...@coydogsoftware.net
