|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #65935 support for checking script uid/gid
Submitted: 2013-10-21 09:15 UTC Modified: 2021-11-17 18:36 UTC
From: mustnotbevalid at example dot com Assigned:
Status: Suspended Package: FPM related
PHP Version: 5.4.21 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mustnotbevalid at example dot com
New email:
PHP Version: OS:


 [2013-10-21 09:15 UTC] mustnotbevalid at example dot com
For security reasons, it would be nice to have the option similar to Apache suExec where FPM checks the uid/gid of the script file before executing it, and only allowing scripts to be executed with a matching uid/gid specified in the pool config file.

This would serve as an extra layer of defense against exploit attempts which try to write files via PHP or other CGI scripts as they would be saved with the uid of the webserver. Combined with verbose logging of such requests, this would also serve as an a good indicator that some scripts on the system are insecure.


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-04-14 01:18 UTC]
-Assigned To: +Assigned To: fat
 [2017-10-24 07:45 UTC]
-Status: Assigned +Status: Open -Assigned To: fat +Assigned To:
 [2021-11-17 18:36 UTC]
-Status: Open +Status: Suspended
 [2021-11-17 18:36 UTC]
From a quick glance, that reminds me of safe_mode.  Anyhow, this
feature would require an RFC, so all details could be sufficiently
discussed and clarified.  Anybody is welcome to pursue the RFC
process[1]; for the time being, I suspend this ticket.

[1] <>
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Oct 06 23:05:52 2022 UTC