pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Restricting "php-fpm" to a particular directories


after reading this thread ...

... on the "tech-pkg" mailing list I had a look at PHP-FPM. The Apache
wiki under contains the following
configuration example:

        ProxyPassMatch ^/(.*\.php(/.*)?)$ 

This looks to me like PHP-FPM accepts arbitrary path names to PHP scripts
over its FCGI socket. So a local user could write a PHP script that kills
various Apache or PHP-FPM processes and run it via the FCGI interface
with the right user id.

This looks like a big security whole to me. What am I missing?

        Kind regards

Matthias Scheler                       

Home | Main Index | Thread Index | Old Index