Edit report at http://bugs.php.net/bug.php?id=52569&edit=1

 ID:                 52569
 Comment by:         luca at fantacast dot it
 Reported by:        mplomer at gmx dot de
 Summary:            Implement "ondemand" process-manager (to allow zero
                     children)
 Status:             Analyzed
 Type:               Feature/Change Request
 Package:            FPM related
 PHP Version:        5.3.3
 Assigned To:        fat
 Block user comment: N

 New Comment:

Just a thought on the dynamic setuid/setgid/chroot via fastcgi variables
exclusion because of security concerns.



In the group discussion you pointed out how this opens up the
possibility for an attacker to call posix_setuid/posix_setgid in PHP
code to get root privileges.



However this could be easily prevented by using disable_functions to
prevent these and other potentially harmful functions from being called
(system, exec, etc) which could be used to achieve the same goal and are
not desirable in a shared hosting environment anyway.



I guess this and other protections could be even enforced automatically
by PHP FPM if dynamic setuid/setgid/chroot via fastcgi variables is
requested. 



Obviously this wouldn't protect against PHP bugs allowing arbitrary code
execution, so it only mitigates the potential risk.


Previous Comments:
------------------------------------------------------------------------
[2010-09-25 18:26:58] mplomer at gmx dot de

Released patch v6 - Updated patch to be compatible with current PHP_5_3
branch (rev 303365)



There are no functional changes against v5



Merged (removed) parts which have already been committed:

- rev 301886: only one process (for all pools) could be killed by the
'dynamic' process manager

- rev 301912: Changed listen.backlog in the FPM configuration file to
default to 128 instead of -1

- rev 301913: Add libevent version to the startup debug log in FPM

- rev 301925: add 'max children reached' to the FPM status page



Changes:

- Undo change in config.m4 which has IMHO nothing to do with this patch

- Merged listen.backlog part in php-fpm.conf.in from trunk (trunk and
5.3-branch is currently out of sync here!)

- (small code beautify)

------------------------------------------------------------------------
[2010-09-13 06:27:20] f...@php.net

You should "make clean" before recompiling with v5 patch.



The v5 patch does not apply on 5.3.3, it applies on the svn PHP5_3_3
branch.



++ Jerome

------------------------------------------------------------------------
[2010-09-13 03:30:56] dennisml at conversis dot de

Is v5 of the patch known not to work with fpm in php 5.3.3? When
applying the patch I get the following segfault:



Program received signal SIGSEGV, Segmentation fault.

0x00000000005cf319 in fpm_env_conf_wp (wp=<value optimized out>)

    at /home/dennis/php-5.3.3/sapi/fpm/fpm/fpm_env.c:141

141                     if (*kv->value == '$') {

------------------------------------------------------------------------
[2010-09-05 20:42:56] f...@php.net

@dennisml at conversis dot de



It's complex to do and security risky. Don't want to mess with that.

------------------------------------------------------------------------
[2010-09-04 16:26:06] dennisml at conversis dot de

Since this patch causes the master process to dynamically fork children
on demand I'm wondering if it would be feasible to introduce the
possibility to do setuid()/setgid() calls after the fork to run the
child process with different user id's?

What I'm thinking about is the mass-hosting case that was previously
talked about on the mailinglist. Back then this would have been quite a
bit of work to do but with this patch this should be much easier to
accomplish.

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    http://bugs.php.net/bug.php?id=52569


-- 
Edit this bug report at http://bugs.php.net/bug.php?id=52569&edit=1

Reply via email to