[SECURITY] Do not run playsmsd or playsmsd.php as root

anton · October 16, 2018, 11:51am

playsmsd (symlinked to playsmsd.php or copied from playsmsd.php) must not be running as root.

This is because of the previous vulnerability that allows attacker to modify PHP files. While that bug was already fixed in 1.4.2 if by any means attacker can modify any playSMS PHP file, that PHP file might be loaded by playsmsd thus running playsmsd as root will be dangerous.

What you can do right now:

Make sure that you’re using playSMS 1.4.2
Make sure that your playsmsd (or playsmsd.php) is not running as root

UPDATE:

Make sure that you are using at least playSMS 1.4.2, or for now even better just use Master version from Github
CVE was released for this vulnerability: https://github.com/TheeBlind/CVE-2018-18387
Make sure, again, that your playsmsd (or playsmsd.php) is running as non-root Linux user, for example run it as www-data instead

anton

MAPIIIAJI · October 17, 2018, 7:03am

How to run Playsms from restricted user?

Regards,
Jamshid

anton · October 17, 2018, 8:56am

The same way, but just make sure that all folders, including logs also writable by that user. Change from config.php, look for location of log folder.

To run it from crontab, example run as www-data:

su -s /bin/sh -c "/usr/local/bin/playsmsd watchdog" www-data

anton

Topic		Replies	Views
Check if playsms daemon is running from PHP Help	1	922	August 2, 2018
PlaySMS Ubuntu 20.04 PHP 7.4 Install and Upgrade	2	1660	May 31, 2022
Problem with my first install Install and Upgrade	13	3432	May 3, 2022
[solved] Playsmsd not running (move from googlegroups) Help	26	8920	August 20, 2021
L2 init # WARNING: possible CSRF attack Install and Upgrade	1	445	August 25, 2021

[SECURITY] Do not run playsmsd or playsmsd.php as root

Related topics