|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66611 php allows sockets to be inherited
Submitted: 2014-01-30 10:37 UTC Modified: 2023-08-26 14:31 UTC
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:3 (100.0%)
From: arekm at maven dot pl Assigned:
Status: Duplicate Package: FPM related
PHP Version: 5.5.8 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: arekm at maven dot pl
New email:
PHP Version: OS:


 [2014-01-30 10:37 UTC] arekm at maven dot pl
php fcgi and fpm unfortunately allow subprocesses to inherit server socket.

For example, test script:

system("sleep 1000");

run it using browser over fcgi or fpm, we get:

# pstree -lpu |grep 32686
        |                          `-php55.fcgi(32671)-+-php55.fcgi(32678)---sh(32686)

but now look what descriptors are avilable to "sh" process:
# lsof |grep 32686
sh        32686         lighttpd    0u     unix 0xffff880261a17700       0t0    9572697 /var/run/php/php-fcgi-32664.sock-1
sh        32686         lighttpd    3u     unix 0xffff880261a15e80       0t0    9576285 /var/run/php/php-fcgi-32664.sock-1

as you can see "sleep" has access to fcgi socket! And instead of sleep I could run some malicious code.

The same happens with tcp socket in case of fpm over tcp. Processes forked from php have access to server socket 9000.

The solution is to set FD_CLOEXEC (see man fcntl) flag on socket or use proper api (SOCK_CLOEXEC flag, accept4()).

Note that leaking descriptors/sockets falls into secutity catgory in some cases.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-30 10:38 UTC] arekm at maven dot pl
Note, example of similar case (leaking socket/descriptors) in apache apr code and how it got fixed there:
 [2014-01-31 20:06 UTC] glen at delfi dot ee
that svnweb link opens dead slow, so here's command you can get the diff faster from terminal:

$ svn diff -c 747990
 [2014-01-31 20:08 UTC] glen at delfi dot ee
$ svn log -c 747990|diffcol |less
r747990 | bojan | 2009-02-26 04:41:21 +0200 (N, 26 veebr 2009) | 7 lines

Set CLOEXEC flags where appropriate. Either use new O_CLOEXEC flag and
associated functions, such as dup3(), accept4(), epoll_create1() etc., or
simply set CLOEXEC flag using fcntl().
Patch by Stefan Fritsch <sf> and
Arkadiusz Miskiewicz <arekm>.
PR 46425.
 [2014-01-31 20:09 UTC] glen at delfi dot ee
 [2014-08-04 19:41 UTC]
-Status: Open +Status: Duplicate
 [2014-08-04 19:41 UTC]
This is a partial duplicate of bug #67383 (Which contains a patch solves this problem and should be merged by someone!)
 [2023-08-26 14:31 UTC]
This has been addressed by and will be available in PHP 8.3.0.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 21 19:01:34 2024 UTC