Description
Description
Right now, there seems to be no obvious way to make sure that an PHP FPM pool for one user can only execute PHP scripts that actually belong to that user. I.e. Alice can connect to Bob's FPM pool's Unix domain socket, and ask Bob's pool to execute scripts under Alice's control, and usurp Bobs' identity.
Currently, neither of the approaches below work:
-
protect the socket using listen_owner and listen_mode so that only user www-data may connect to it. Doesn't work, as Apache can be tricked using various .htaccess directives to connect to any backend. Not all of these directives can be disabled using AllowOverride and AllowOverrideList, as some of them (such as RewriteRule) have legitimate purposes, which are commonly used by popular CMS.
-
Use php_value[open_basedir]
Although this does allow to restrict the directory from which PHP scripts may be executed, it also applies to data files opened by the script. So it's not always possible to set it to a restrictive enough value to be truly secure.
=> What would be needed would be:
- a way to set the directory from which PHP scripts may be called, without affecting from where data files may be opened
- optionally, a switch to only allow FPM to execute PHP scripts that belong to the user of the FPM pool, without allowing to execute scripts which are writable by users other than that users
- optionally, a switch to only allow FPM to execute PHP scripts whose execute bit is set (allows the user to explicitly flag those scripts that he wants to make accessible via FPM)
This corresponds more or less to what suexec does for CGI scripts.