Edit report at https://bugs.php.net/bug.php?id=63965&edit=1
ID: 63965
Comment by: 63965 dot phpbug at tomvalentine dot net
Reported by: markku dot niskanen at gmail dot com
Summary: php-fpm site-specific settings go global
Status: Assigned
Type: Bug
Package: FPM related
Operating System: Centos 6.2
PHP Version: 5.3.20
Assigned To: fat
Block user comment: N
Private report: N
New Comment:
The problem with this is that when setting a value through fastcgi_param
PHP_ADMIN_VAlUE (or PHP_VALUE) is that when php-fpm receives this value it is
applied only to the child process that receives the request.
E.g. you have a pool of 5 processes, only one of thoses processes gets the
value when the request is passed to it. When the child process is restarted
(after max requests or max time) it loses the PHP_ADMIN_VALUE.
The side effect of this is some unpredictability as by requesting info.php from
another server block, depending on which child process serves out info.php, you
may get different results.
PHP-FPM also has rubbish security as any FCGI client can pass requests to it by
default. E.g. nginx, php/python/perl scripts
You can sometimes limit who can access the php-fpm server by:
- If running as a unix domain socket, set listen.owner & listen.group to the
user and group of the webserver which will not work if php-fpm and webserver
are running as the same user and group. And set listen.mode to 0600 so that
only the specified user can connect to it (renders listen.group pointless)
However from fpm.conf "Many BSD-derived systems allow connections regardless of
permissions."
- If php-fpm is listening as a TCP server then you have to use a firewall to
limit the connections between FCGI client and PHP-FPM (even if it is through
localhost)
Other similar bugs: 53611 & 54309
Previous Comments:
------------------------------------------------------------------------
[2013-04-19 10:42:54] steven dot hartland at multiplay dot co dot uk
This is a very nasty security risk, with settings applied to trusted hosts
being
leaked to other vhosts.
It essentially means that if PHP_VALUE or PHP_ADMIN_VALUE is used then every
value
set must then be explicitly set for every vhost otherwise the settings leak.
This will also cause random behaviour dependent on request order.
This should be reclassified as security and FPM module
------------------------------------------------------------------------
[2013-01-11 10:41:43] markku dot niskanen at gmail dot com
The setup code got broken during upload but you should get the idea.
------------------------------------------------------------------------
[2013-01-11 10:40:26] markku dot niskanen at gmail dot com
Description:
------------
# this is an nginx configuration for *.thiscustomer.com
# it should ONLY affect *.thiscustomer.com, no other domains
server {
server_name .thiscustomer.com;
#... normal stuff removed ...
location ~ \.php$ {
# now set for THIS site
fastcgi_param PHP_VALUE
"auto_prepend_file=/home/thiscustomer/lib/modules/ThisModule.class.php";
# ..other normal stuff from this on...
}
}
Test script:
---------------
Now first simply go any other site, say "www.thatcustomer.com" on the same
server and everything works fine.
Then go to "www.thiscustomer.com" (the example site) and everything works fine.
Then again go to "www.thatcustomer.com" and you will see that you will have an
"open_basedir restriction", PHP trying to load file (prepending)
/home/thiscustomer/lib/modules/ThisModule.class.php
So the auto_prepend_file value is changed GLOBALLY and permanently until some
other domain changes it again. The same goes for ANY PHP_VALUE or
PHP_ADMIN_VALUE but this is the one that will definitely break all sites.
Tested in PHP 5.3.19 and 5.3.20, two different servers, two different operating
systems (Centos 5.8 and Centos 6.2).
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=63965&edit=1
