.php5 files are not run as FastCGI on OpenSuSE Linux
On openSUSE (tested on 12.2 and 12.3), PHP files with extension .php5 are not run via mod_fcgid, but with mod_php5 (if installed and enabled). This has the unfortunate effect that the scripts run as the webserver's uid. To reproduce:
- install and enable mod_php5 (a2enmod php5), restart Apache
- create test.php and test.php5 with the following content:
- visit the URLs in a webbrowser
- http://example.com/test.php uid=5005(web2) gid=5005(client1) groups=5005(client1),5001(sshusers)
- http://example.com/test.php5 uid=30(wwwrun) gid=8(www) groups=8(www),5004(client2),5005(client1),5006(client3)
Besides making certain software not work out of the box (e.g. Mediawiki has an index.php5), this is a potential security problem, as the processes are members of other clients' groups and could therefore gain access to sensitive data.