[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Restricting "php-fpm" to a particular directories
after reading this thread ...
... on the "tech-pkg" mailing list I had a look at PHP-FPM. The Apache
wiki under http://wiki.apache.org/httpd/PHP-FPM contains the following
This looks to me like PHP-FPM accepts arbitrary path names to PHP scripts
over its FCGI socket. So a local user could write a PHP script that kills
various Apache or PHP-FPM processes and run it via the FCGI interface
with the right user id.
This looks like a big security whole to me. What am I missing?
Matthias Scheler https://zhadum.org.uk/
Main Index |
Thread Index |