Skip to content

Add CapabilityBoundingSet to systemd unit file #4960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add CapabilityBoundingSet to systemd unit file #4960

wants to merge 1 commit into from

Conversation

bukka
Copy link
Member

@bukka bukka commented Dec 1, 2019
edited
Loading

Re-introduced CapabilityBoundingSet that got removed in 7.4: 67cd427 as it was breaking apps. It looks that chroot has been also omitted and it needs to be verified again what is actually needed by FPM. As such this targets master only.

Any feedback for additional capabilities is welcome.

@SjonHortensius
Copy link
Contributor

This looks fine and I wouldn't hesitate too long before putting it in 7.4(.1) again like this

nikic
nikic reviewed Dec 4, 2019
View reviewed changes
sapi/fpm/php-fpm.service.in
@@ -32,6 +32,9 @@ NoNewPrivileges=true
# but no physical devices such as /dev/sda.
PrivateDevices=true

# Required for dropping privileges for running as a different user and changin owner and root.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Required for dropping privileges for running as a different user and changin owner and root.
# Required for dropping privileges for running as a different user and changing owner and root.

@SjonHortensius
Copy link
Contributor

Actually - CAP_KILL is also required for workers that run under a different user for fpm to reload properly. As this is hard to debug it might be useful to add that by default

@nikic
Copy link
Member

nikic commented Dec 9, 2019

I think at this point it's better to just not add this.

@SjonHortensius
Copy link
Contributor

@nikic I disagree, are you afraid there will be many more bug-reports caused by this more secure-by-default setup? Maybe documenting this in the Migrating-to-7.4 docs with possibly a link to How to find out what linux capabilities a process requires to work? is a better method of preventing that?

@bukka
Copy link
Member Author

bukka commented Dec 10, 2019

This won't go to 7.4. It's just for master.

@bukka bukka added the SAPI: fpm label Jun 9, 2020
@iluuu1994
Copy link
Member

@bukka What's the state here?

@bukka
Copy link
Member Author

bukka commented Dec 20, 2022

I have got this on my list and will eventually pick it up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikic nikic nikic left review comments

Assignees
No one assigned
Labels
Feature SAPI: fpm Waiting on Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bukka @SjonHortensius @nikic @iluuu1994 @krakjoe