Skip to content
Permalink
Browse files
Implement FR #72510: systemd service should be hardened
  • Loading branch information
candrews authored and cmb69 committed Dec 12, 2018
1 parent 4d0a2f6 commit 40c4d7f1820df1872a71ab07fd26da45a203e37f
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 0 deletions.
3 NEWS
@@ -9,6 +9,9 @@ PHP NEWS
- Date:
. Fixed bug #75232 (print_r of DateTime creating side-effect). (Nikita)

- FPM:
. Implemented FR #72510 (systemd service should be hardened). (Craig Andrews)

- GD:
. Fixed bug #73291 (imagecropauto() $threshold differs from external libgd).
(cmb)
@@ -11,7 +11,61 @@ Type=@php_fpm_systemd@
PIDFile=@EXPANDED_LOCALSTATEDIR@/run/php-fpm.pid
ExecStart=@EXPANDED_SBINDIR@/php-fpm --nodaemonize --fpm-config @EXPANDED_SYSCONFDIR@/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID

# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
# so this service cannot access the global directories and other processes cannot
# access this service's directories.
PrivateTmp=true

# The directories /home, /root and /run/user are made inaccessible and empty for processes
# invoked by this unit.
ProtectHome=true

# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
ProtectSystem=full

# Ensures that the service process and all its children can never gain new privileges
NoNewPrivileges=true

# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
# but no physical devices such as /dev/sda.
PrivateDevices=true

# Required for dropping privileges and running as a different user
CapabilityBoundingSet=CAP_SETGID CAP_SETUID

This comment has been minimized.

Copy link
@eb4x

eb4x Mar 13, 2019

Which capability is required for

ERROR: unable to bind listening socket for address '/run/php/www.sock': Permission denied (13)


# Attempts to create memory mappings that are writable and executable at the same time,
# or to change existing memory mappings to become executable are prohibited.
MemoryDenyWriteExecute=true

# Explicit module loading will be denied. This allows to turn off module load and unload
# operations on modular kernels. It is recommended to turn this on for most services that
# do not need special file systems or extra kernel modules to work.
ProtectKernelModules=true

# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
# recommended to turn this on for most services.
ProtectKernelTunables=true

# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
# made read-only to all processes of the unit. Except for container managers no services should
# require write access to the control groups hierarchies; it is hence recommended to turn this on
# for most services
ProtectControlGroups=true

# Any attempts to enable realtime scheduling in a process of the unit are refused.
RestrictRealtime=true

# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# Takes away the ability to create or manage any kind of namespace
RestrictNamespaces=true

[Install]
WantedBy=multi-user.target

1 comment on commit 40c4d7f

@adrian-the-git
Copy link

@adrian-the-git adrian-the-git commented on 40c4d7f Dec 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this hardening documented anywhere? I spent a foolish amount of time trying to figure out why /home/web, a directory explicitly designated for public web data, would have some permission problem preventing php-fpm from seeing php scripts.

Even after discovering that /home was being blacklisted it wasn't mentioned in any php-related config files and took a search through the php source to track down.

Please sign in to comment.