FS#64750 - [php-fpm] Set of listen.acl* creates problems with SUID
Attached to Project:
Arch Linux
Opened by Tobias (Ich875) - Friday, 06 December 2019, 05:50 GMT
Last edited by Pierre Schmitz (Pierre) - Wednesday, 18 December 2019, 14:08 GMT
Opened by Tobias (Ich875) - Friday, 06 December 2019, 05:50 GMT
Last edited by Pierre Schmitz (Pierre) - Wednesday, 18 December 2019, 14:08 GMT
|
Details
Description:
The solution by using the listen.acl_user and listen.acl_group instead the listen.owner and listen.group greats a problem by reading files with SUID. That creates an error by exec a command with 'sudo'. Additional info: * package version(s): php-fpm 7.4.0-2 * config and/or log files etc. * link to upstream bug report, if any Steps to reproduce: - upgrade to PHP 7.4 including php-fpm - change the setting in the www.conf from listen.owner and listen.group to listen.acl_user and listen.acl_group - call a PHP scrip that calls a exec with sudo (e. g. echo(exec('/usr/bin/sudo -l'));) - result is "effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?" - strace can be found here: https://pastebin.com/bAFFJPUe Solution for this problem: - create a drop-in for the php-fpm.service (e.g. /etc/systemd/system/php-fpm.service.d/php-fpm.conf ) with the following conent: [Service] CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_CHOWN SecureBits=keep-caps NoNewPrivileges=false - change back the listen.acl_* to listen.* like before the upgrade to 7.4 - restart php-fpm und it worked again |
This task depends upon
If people really *need* to, they can freely override php-fpm.service via systemctl --edit, a documentation in the wiki should be sufficient instead of lowering the overall security for everyone