FS#64750 - [php-fpm] Set of listen.acl* creates problems with SUID

Attached to Project: Arch Linux
Opened by Tobias (Ich875) - Friday, 06 December 2019, 05:50 GMT
Last edited by Pierre Schmitz (Pierre) - Wednesday, 18 December 2019, 14:08 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The solution by using the listen.acl_user and listen.acl_group instead the listen.owner and listen.group greats a problem by reading files with SUID. That creates an error by exec a command with 'sudo'.

Additional info:
* package version(s): php-fpm 7.4.0-2
* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce:
- upgrade to PHP 7.4 including php-fpm
- change the setting in the www.conf from listen.owner and listen.group to listen.acl_user and listen.acl_group
- call a PHP scrip that calls a exec with sudo (e. g. echo(exec('/usr/bin/sudo -l'));)
- result is "effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
- strace can be found here: https://pastebin.com/bAFFJPUe

Solution for this problem:
- create a drop-in for the php-fpm.service (e.g. /etc/systemd/system/php-fpm.service.d/php-fpm.conf ) with the following conent:

[Service]
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_CHOWN
SecureBits=keep-caps
NoNewPrivileges=false

- change back the listen.acl_* to listen.* like before the upgrade to 7.4
- restart php-fpm und it worked again
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Wednesday, 18 December 2019, 14:08 GMT
Reason for closing:  Fixed
Comment by Levente Polyak (anthraxx) - Friday, 06 December 2019, 07:49 GMT
I question why you want this, this looks like an overall bad idea to escalate to root via a php script run through php-fpm. We shouldn't lower the security for some edge cases that i question should be done at all.
If people really *need* to, they can freely override php-fpm.service via systemctl --edit, a documentation in the wiki should be sufficient instead of lowering the overall security for everyone

Loading...