sapi: fpm: Add security.exec_basedir per-pool configuration option #1873
Conversation
nomis
force-pushed
the
fpm/security.exec_basedir
branch
from
2590cb5 to
3492786
Compare
When a single webserver is used to access multiple FPM pools (one per user), it can become possible for one vhost to execute scripts using the pool of another vhost (e.g. Apache SetHandler in .htaccess). To prevent this, it is necessary to restrict which files a pool can execute for a request (it doesn't matter what that file then does as long as it is under control of the correct user). While chroot does achieve this it then becomes inconvenient to allow access to any external resources (e.g. database sockets, libraries, applications) without inadvertently allowing third party users to make files available within the chroot. This adds a per-pool configuration option "security.exec_basedir": Limits the directory which can be used to execute the request script. This can be used to ensure that pools defined for specific users can only be used to execute scripts under the control of those users. This value must be defined as an absolute path and end with a '/'.
nomis
force-pushed
the
fpm/security.exec_basedir
branch
from
3492786 to
faa938d
Compare
| return 0; /* allowed by default */ | ||
| } | ||
|
|
||
| if (strncmp(path, exec_basedir, strlen(exec_basedir)) == 0) { |
There was a problem hiding this comment.
Possible read-overflow if strlen(path) < strlen(exec_basedir)
There was a problem hiding this comment.
That's not how strncmp works. It will never read off the end of either string.
|
This probably worth to be discussed as part of the RFC process. |
|
If you have 2 pools, with 2 users, unix permissions on script should be enough to protect user1 from reading user2 files. |
|
Permissions on which script? If you have two pools both being accessed by the same Apache instance then either user can use a |
|
I don't intend to submit an RFC as this is not a change to the PHP language. |
|
Since the author is unwilling to engage in the proper process to have this change merged, I'm closing this PR. |
|
A single instance of Apache can only run as one user/group so the same This a major security issue because there is no way to restrict which pool each vhost is allowed to use. |
4 participants
When a single webserver is used to access multiple FPM pools (one per user), it can become possible for one vhost to execute scripts using the pool of another vhost (e.g. Apache SetHandler in .htaccess).
To prevent this, it is necessary to restrict which files a pool can execute for a request (it doesn't matter what that file then does as long as it is under control of the correct user).
While chroot does achieve this it then becomes inconvenient to allow access to any external resources (e.g. database sockets, libraries, applications) without inadvertently allowing third party users to make files available within the chroot.
This adds a per-pool configuration option "security.exec_basedir":
Limits the directory which can be used to execute the request script.
This can be used to ensure that pools defined for specific users can
only be used to execute scripts under the control of those users.
This value must be defined as an absolute path and end with a '/'.