PHP :: Request #72510 :: systemd service should be hardened

systemd service should be hardened

Submitted:

2016-06-28 20:05 UTC

Modified:

2018-12-12 16:14 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

candrews at integralblue dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

FPM related

PHP Version:

Irrelevant

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	candrews at integralblue dot com
New email:
PHP Version:		OS:

New Comment:

[2016-06-28 20:05 UTC] candrews at integralblue dot com

Description:
------------
The php-fpm systemd service, php-fpm.service, should use be hardened as much as possible against potential attacks. Besides reducing the likelihood of an attack, if php does get compromised, there will be less damage possible.

I suggest these features be added to the systemd units:
---------------
ProtectHome=true
PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
# Required for dropping privileges and running as a different user
CapabilityBoundingSet=CAP_SETGID CAP_SETUID
---------------

I tested these settings and didn't experience any problems in my (admitted limited) setup. I think they should be fine for anyone except for exceptional and odd situations (ex, php-fpm is setup to read files from /tmp that another services writes to /tmp). For the (very rare) impacted user, they can always override the systemd service - but a secure configuration should be the default.

Test script:
---------------
n/a

Expected result:
----------------
n/a

Actual result:
--------------
n/a

Patches

Pull Requests

Pull requests:

Add additional systemd hardening, fixes bug #72510 (php-src/1965)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-12-12 16:14 UTC] cmb@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb

[2018-12-12 16:14 UTC] cmb@php.net

This feature request has been implemented as commit 40c4d7f[1].

[1] <http://git.php.net/?p=php-src.git;a=commit;h=40c4d7f1820df1872a71ab07fd26da45a203e37f>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 10:01:29 2024 UTC