pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Restricting "php-fpm" to a particular directories



        Hello,

after reading this thread ...

        http://mail-index.netbsd.org/tech-pkg/2014/03/17/msg012773.html

... on the "tech-pkg" mailing list I had a look at PHP-FPM. The Apache
wiki under http://wiki.apache.org/httpd/PHP-FPM contains the following
configuration example:

        ProxyPassMatch ^/(.*\.php(/.*)?)$ 
fcgi://127.0.0.1:9000/path/to/your/documentroot/$1

This looks to me like PHP-FPM accepts arbitrary path names to PHP scripts
over its FCGI socket. So a local user could write a PHP script that kills
various Apache or PHP-FPM processes and run it via the FCGI interface
with the right user id.

This looks like a big security whole to me. What am I missing?

        Kind regards

-- 
Matthias Scheler                                 https://zhadum.org.uk/


Home | Main Index | Thread Index | Old Index