php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66611 php allows sockets to be inherited
Submitted: 2014-01-30 10:37 UTC Modified: 2023-08-26 14:31 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:3 (100.0%)
From: arekm at maven dot pl Assigned:
Status: Duplicate Package: FPM related
PHP Version: 5.5.8 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2014-01-30 10:37 UTC] arekm at maven dot pl 
Description:
------------
php fcgi and fpm unfortunately allow subprocesses to inherit server socket.

For example, test script:

<?php
system("sleep 1000");
?>

run it using browser over fcgi or fpm, we get:

# pstree -lpu |grep 32686
        |                          `-php55.fcgi(32671)-+-php55.fcgi(32678)---sh(32686)

but now look what descriptors are avilable to "sh" process:
# lsof |grep 32686
[...]
sh        32686         lighttpd    0u     unix 0xffff880261a17700       0t0    9572697 /var/run/php/php-fcgi-32664.sock-1
[...]
sh        32686         lighttpd    3u     unix 0xffff880261a15e80       0t0    9576285 /var/run/php/php-fcgi-32664.sock-1

as you can see "sleep" has access to fcgi socket! And instead of sleep I could run some malicious code.

The same happens with tcp socket in case of fpm over tcp. Processes forked from php have access to server socket 9000.


The solution is to set FD_CLOEXEC (see man fcntl) flag on socket or use proper api (SOCK_CLOEXEC flag, accept4()).


Note that leaking descriptors/sockets falls into secutity catgory in some cases.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-30 10:38 UTC] arekm at maven dot pl 
Note, example of similar case (leaking socket/descriptors) in apache apr code and how it got fixed there:
http://svn.apache.org/viewvc?view=revision&revision=747990
 [2014-01-31 20:06 UTC] glen at delfi dot ee 
that svnweb link opens dead slow, so here's command you can get the diff faster from terminal:

$ svn diff -c 747990 https://svn.apache.org/repos/asf
 [2014-01-31 20:08 UTC] glen at delfi dot ee 
$ svn log -c 747990 https://svn.apache.org/repos/asf|diffcol |less
------------------------------------------------------------------------
r747990 | bojan | 2009-02-26 04:41:21 +0200 (N, 26 veebr 2009) | 7 lines

Set CLOEXEC flags where appropriate. Either use new O_CLOEXEC flag and
associated functions, such as dup3(), accept4(), epoll_create1() etc., or
simply set CLOEXEC flag using fcntl().
Patch by Stefan Fritsch <sf sfritsch.de> and
Arkadiusz Miskiewicz <arekm pld-linux.org>.
PR 46425.
 [2014-01-31 20:09 UTC] glen at delfi dot ee 
https://issues.apache.org/bugzilla/show_bug.cgi?id=46425
 [2014-08-04 19:41 UTC] langemeijer@php.net
-Status: Open +Status: Duplicate
 [2014-08-04 19:41 UTC] langemeijer@php.net 
This is a partial duplicate of bug #67383 (Which contains a patch solves this problem and should be merged by someone!)
 [2023-08-26 14:31 UTC] bukka@php.net 
This has been addressed by https://github.com/php/php-src/commit/418cdc0bea3d7787587964f42c309602d70232c6 and will be available in PHP 8.3.0.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Apr 02 21:01:29 2025 UTC