php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80669 Can't initgroups() when specifying numeric user
Submitted: 2021-01-25 16:49 UTC Modified: 2022-11-23 12:35 UTC
From: andreas dot ley at kit dot edu Assigned: bukka (profile)
Status: Closed Package: FPM related
PHP Version: Irrelevant OS: Debian GNU/Linux
Private report: No CVE-ID: None
 [2021-01-25 16:49 UTC] andreas dot ley at kit dot edu
Description:
------------
When using PHP-FPM, you can configure the "user" directive for a pool with either an (alphanumeric) username or a (numeric) uid. However, if you do the latter, initgroups() won't set supplementary groups.

This is due to fpm_unix_init_child() in sapi/fpm/fpm/fpm_unix.c calling "initgroups(wp->config->user, wp->set_gid)".

One possible solution would be changing this to "initgroups(wp->user, wp->set_gid)" which would require to set wp->user from getpwuid(wp->set_uid) in fpm_unix_conf_wp() in the very same file, which currently is only done when is_root is false.

One objection could be that a uid might not be unique, but the same applies to the non-root case. Another possibility then might be an explicit configuration directive for supplementary groups.

If you decide to go for the first solution, I'd volunteer to write a patch for that upon request.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-01-25 17:14 UTC] cmb@php.net
-Package: *Configuration Issues +Package: FPM related
 [2022-11-23 10:41 UTC] git@php.net
Automatic comment on behalf of bukka
Revision: https://github.com/php/php-src/commit/94702c56e0cc98166b12ebc202e6aebf08b12b5e
Log: Fix bug #80669: FPM numeric user fails to set groups
 [2022-11-23 10:41 UTC] git@php.net
-Status: Open +Status: Closed
 [2022-11-23 12:35 UTC] bukka@php.net
-Assigned To: +Assigned To: bukka
 [2022-11-23 12:35 UTC] bukka@php.net
Just for the reference this was fixed by this PR: https://github.com/php/php-src/pull/9983


Except setting user from getpwuid, I also set a group which is a small BC break but the previous behavior (using root group) was not intended and seems wrong and not very secure... Anyway in case anyone relies on it, I merged it to 8.2 only.

I think we don't really need to worry about non unique uid as there are probably not many users that use them and as you say it doesn't work for non-root already.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC