php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66611 php allows sockets to be inherited
Submitted: 2014-01-30 10:37 UTC Modified: 2014-08-04 19:41 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:3 (100.0%)
From: arekm at maven dot pl Assigned:
Status: Duplicate Package: FPM related
PHP Version: 5.5.8 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: arekm at maven dot pl
New email:
PHP Version: OS:

 

 [2014-01-30 10:37 UTC] arekm at maven dot pl
Description:
------------
php fcgi and fpm unfortunately allow subprocesses to inherit server socket.

For example, test script:

<?php
system("sleep 1000");
?>

run it using browser over fcgi or fpm, we get:

# pstree -lpu |grep 32686
        |                          `-php55.fcgi(32671)-+-php55.fcgi(32678)---sh(32686)

but now look what descriptors are avilable to "sh" process:
# lsof |grep 32686
[...]
sh        32686         lighttpd    0u     unix 0xffff880261a17700       0t0    9572697 /var/run/php/php-fcgi-32664.sock-1
[...]
sh        32686         lighttpd    3u     unix 0xffff880261a15e80       0t0    9576285 /var/run/php/php-fcgi-32664.sock-1

as you can see "sleep" has access to fcgi socket! And instead of sleep I could run some malicious code.

The same happens with tcp socket in case of fpm over tcp. Processes forked from php have access to server socket 9000.


The solution is to set FD_CLOEXEC (see man fcntl) flag on socket or use proper api (SOCK_CLOEXEC flag, accept4()).


Note that leaking descriptors/sockets falls into secutity catgory in some cases.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-30 10:38 UTC] arekm at maven dot pl
Note, example of similar case (leaking socket/descriptors) in apache apr code and how it got fixed there:
http://svn.apache.org/viewvc?view=revision&revision=747990
 [2014-01-31 20:06 UTC] glen at delfi dot ee
that svnweb link opens dead slow, so here's command you can get the diff faster from terminal:

$ svn diff -c 747990 https://svn.apache.org/repos/asf
 [2014-01-31 20:08 UTC] glen at delfi dot ee
$ svn log -c 747990 https://svn.apache.org/repos/asf|diffcol |less
------------------------------------------------------------------------
r747990 | bojan | 2009-02-26 04:41:21 +0200 (N, 26 veebr 2009) | 7 lines

Set CLOEXEC flags where appropriate. Either use new O_CLOEXEC flag and
associated functions, such as dup3(), accept4(), epoll_create1() etc., or
simply set CLOEXEC flag using fcntl().
Patch by Stefan Fritsch <sf sfritsch.de> and
Arkadiusz Miskiewicz <arekm pld-linux.org>.
PR 46425.
 [2014-01-31 20:09 UTC] glen at delfi dot ee
https://issues.apache.org/bugzilla/show_bug.cgi?id=46425
 [2014-08-04 19:41 UTC] langemeijer@php.net
-Status: Open +Status: Duplicate
 [2014-08-04 19:41 UTC] langemeijer@php.net
This is a partial duplicate of bug #67383 (Which contains a patch solves this problem and should be merged by someone!)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC