php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66611 php allows sockets to be inherited
Submitted: 2014-01-30 10:37 UTC Modified: 2023-08-26 14:31 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:3 (100.0%)
From: arekm at maven dot pl Assigned:
Status: Duplicate Package: FPM related
PHP Version: 5.5.8 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
6 + 44 = ?
Subscribe to this entry?

 
 [2014-01-30 10:37 UTC] arekm at maven dot pl 
Description:
------------
php fcgi and fpm unfortunately allow subprocesses to inherit server socket.

For example, test script:

<?php
system("sleep 1000");
?>

run it using browser over fcgi or fpm, we get:

# pstree -lpu |grep 32686
        |                          `-php55.fcgi(32671)-+-php55.fcgi(32678)---sh(32686)

but now look what descriptors are avilable to "sh" process:
# lsof |grep 32686
[...]
sh        32686         lighttpd    0u     unix 0xffff880261a17700       0t0    9572697 /var/run/php/php-fcgi-32664.sock-1
[...]
sh        32686         lighttpd    3u     unix 0xffff880261a15e80       0t0    9576285 /var/run/php/php-fcgi-32664.sock-1

as you can see "sleep" has access to fcgi socket! And instead of sleep I could run some malicious code.

The same happens with tcp socket in case of fpm over tcp. Processes forked from php have access to server socket 9000.


The solution is to set FD_CLOEXEC (see man fcntl) flag on socket or use proper api (SOCK_CLOEXEC flag, accept4()).


Note that leaking descriptors/sockets falls into secutity catgory in some cases.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-30 10:38 UTC] arekm at maven dot pl 
Note, example of similar case (leaking socket/descriptors) in apache apr code and how it got fixed there:
http://svn.apache.org/viewvc?view=revision&revision=747990
 [2014-01-31 20:06 UTC] glen at delfi dot ee 
that svnweb link opens dead slow, so here's command you can get the diff faster from terminal:

$ svn diff -c 747990 https://svn.apache.org/repos/asf
 [2014-01-31 20:08 UTC] glen at delfi dot ee 
$ svn log -c 747990 https://svn.apache.org/repos/asf|diffcol |less
------------------------------------------------------------------------
r747990 | bojan | 2009-02-26 04:41:21 +0200 (N, 26 veebr 2009) | 7 lines

Set CLOEXEC flags where appropriate. Either use new O_CLOEXEC flag and
associated functions, such as dup3(), accept4(), epoll_create1() etc., or
simply set CLOEXEC flag using fcntl().
Patch by Stefan Fritsch <sf sfritsch.de> and
Arkadiusz Miskiewicz <arekm pld-linux.org>.
PR 46425.
 [2014-01-31 20:09 UTC] glen at delfi dot ee 
https://issues.apache.org/bugzilla/show_bug.cgi?id=46425
 [2014-08-04 19:41 UTC] langemeijer@php.net
-Status: Open +Status: Duplicate
 [2014-08-04 19:41 UTC] langemeijer@php.net 
This is a partial duplicate of bug #67383 (Which contains a patch solves this problem and should be merged by someone!)
 [2023-08-26 14:31 UTC] bukka@php.net 
This has been addressed by https://github.com/php/php-src/commit/418cdc0bea3d7787587964f42c309602d70232c6 and will be available in PHP 8.3.0.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 09:01:27 2024 UTC