Edit report at http://bugs.php.net/bug.php?id=52569&edit=1
ID: 52569 Comment by: luca at fantacast dot it Reported by: mplomer at gmx dot de Summary: Implement "ondemand" process-manager (to allow zero children) Status: Analyzed Type: Feature/Change Request Package: FPM related PHP Version: 5.3.3 Assigned To: fat Block user comment: N New Comment: Just a thought on the dynamic setuid/setgid/chroot via fastcgi variables exclusion because of security concerns. In the group discussion you pointed out how this opens up the possibility for an attacker to call posix_setuid/posix_setgid in PHP code to get root privileges. However this could be easily prevented by using disable_functions to prevent these and other potentially harmful functions from being called (system, exec, etc) which could be used to achieve the same goal and are not desirable in a shared hosting environment anyway. I guess this and other protections could be even enforced automatically by PHP FPM if dynamic setuid/setgid/chroot via fastcgi variables is requested. Obviously this wouldn't protect against PHP bugs allowing arbitrary code execution, so it only mitigates the potential risk. Previous Comments: ------------------------------------------------------------------------ [2010-09-25 18:26:58] mplomer at gmx dot de Released patch v6 - Updated patch to be compatible with current PHP_5_3 branch (rev 303365) There are no functional changes against v5 Merged (removed) parts which have already been committed: - rev 301886: only one process (for all pools) could be killed by the 'dynamic' process manager - rev 301912: Changed listen.backlog in the FPM configuration file to default to 128 instead of -1 - rev 301913: Add libevent version to the startup debug log in FPM - rev 301925: add 'max children reached' to the FPM status page Changes: - Undo change in config.m4 which has IMHO nothing to do with this patch - Merged listen.backlog part in php-fpm.conf.in from trunk (trunk and 5.3-branch is currently out of sync here!) - (small code beautify) ------------------------------------------------------------------------ [2010-09-13 06:27:20] f...@php.net You should "make clean" before recompiling with v5 patch. The v5 patch does not apply on 5.3.3, it applies on the svn PHP5_3_3 branch. ++ Jerome ------------------------------------------------------------------------ [2010-09-13 03:30:56] dennisml at conversis dot de Is v5 of the patch known not to work with fpm in php 5.3.3? When applying the patch I get the following segfault: Program received signal SIGSEGV, Segmentation fault. 0x00000000005cf319 in fpm_env_conf_wp (wp=<value optimized out>) at /home/dennis/php-5.3.3/sapi/fpm/fpm/fpm_env.c:141 141 if (*kv->value == '$') { ------------------------------------------------------------------------ [2010-09-05 20:42:56] f...@php.net @dennisml at conversis dot de It's complex to do and security risky. Don't want to mess with that. ------------------------------------------------------------------------ [2010-09-04 16:26:06] dennisml at conversis dot de Since this patch causes the master process to dynamically fork children on demand I'm wondering if it would be feasible to introduce the possibility to do setuid()/setgid() calls after the fork to run the child process with different user id's? What I'm thinking about is the mass-hosting case that was previously talked about on the mailinglist. Back then this would have been quite a bit of work to do but with this patch this should be much easier to accomplish. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=52569 -- Edit this bug report at http://bugs.php.net/bug.php?id=52569&edit=1