PHP :: Bug #80669 :: Can't initgroups() when specifying numeric user

Bug #80669	Can't initgroups() when specifying numeric user
Submitted:	2021-01-25 16:49 UTC	Modified:	2022-11-23 12:35 UTC
From:	andreas dot ley at kit dot edu	Assigned:	bukka (profile)
Status:	Closed	Package:	FPM related
PHP Version:	Irrelevant	OS:	Debian GNU/Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2021-01-25 16:49 UTC] andreas dot ley at kit dot edu

Description:
------------
When using PHP-FPM, you can configure the "user" directive for a pool with either an (alphanumeric) username or a (numeric) uid. However, if you do the latter, initgroups() won't set supplementary groups.

This is due to fpm_unix_init_child() in sapi/fpm/fpm/fpm_unix.c calling "initgroups(wp->config->user, wp->set_gid)".

One possible solution would be changing this to "initgroups(wp->user, wp->set_gid)" which would require to set wp->user from getpwuid(wp->set_uid) in fpm_unix_conf_wp() in the very same file, which currently is only done when is_root is false.

One objection could be that a uid might not be unique, but the same applies to the non-root case. Another possibility then might be an explicit configuration directive for supplementary groups.

If you decide to go for the first solution, I'd volunteer to write a patch for that upon request.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-01-25 17:14 UTC] cmb@php.net

-Package: *Configuration Issues +Package: FPM related

[2022-11-23 10:41 UTC] git@php.net

Automatic comment on behalf of bukka
Revision: https://github.com/php/php-src/commit/94702c56e0cc98166b12ebc202e6aebf08b12b5e
Log: Fix bug #80669: FPM numeric user fails to set groups

[2022-11-23 10:41 UTC] git@php.net

-Status: Open +Status: Closed

[2022-11-23 12:35 UTC] bukka@php.net

-Assigned To: +Assigned To: bukka

[2022-11-23 12:35 UTC] bukka@php.net

Just for the reference this was fixed by this PR: https://github.com/php/php-src/pull/9983


Except setting user from getpwuid, I also set a group which is a small BC break but the previous behavior (using root group) was not intended and seems wrong and not very secure... Anyway in case anyone relies on it, I merged it to 8.2 only.

I think we don't really need to worry about non unique uid as there are probably not many users that use them and as you say it doesn't work for non-root already.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 09:01:29 2024 UTC