|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81704 opcache.restrict_api not working with PHP-FPM
Submitted: 2021-12-22 09:01 UTC Modified: 2021-12-22 21:58 UTC
Avg. Score:4.0 ± 1.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mr-manuel at outlook dot it Assigned: bukka (profile)
Status: Assigned Package: opcache
PHP Version: Irrelevant OS: Debian 11
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-12-22 09:01 UTC] mr-manuel at outlook dot it
# actual behaviour
OPcache shows all cached files from all PHP-FPM pools using the same PHP version. In addition it shows a negative used_memory value, since it counts somehow all pools and not only the pool in which the script is executed.

# expected behaviour
OPcache in PHP-FPM should show only the scripts cached within the same pool.

# stept to reproduce
Use Apache with mpm_event module and PHP-FPM installation. Create per domain a separate PHP-FPM pool and execute the pools with different users.

Relevant pool settings:
# /etc/php/7.4/fpm/pool.d/domain-1.conf
php_admin_flag[opcache.enable] = 1
php_admin_value[opcache.memory_consumption] = 128
php_admin_value[opcache.interned_strings_buffer] = 8
php_admin_value[opcache.max_accelerated_files] = 16229
php_admin_flag[opcache.validate_timestamps] = 1
php_admin_flag[opcache.save_comments] = 1
php_admin_value[opcache.revalidate_freq] = 1
php_admin_flag[opcache.fast_shutdown] = 1
php_admin_value[opcache.restrict_api] = "/var/www/html/"
... rest is default

The settings for all domains are the same, except the domain path and config file name.

Execute the test script below on every pool/domain and check the scripts. You should see all scripts from all pools which are cached from the same PHP-FPM version.

Apache: 2.4.51
PHP versions used: 7.4.26, 8.0.13, 8.1.0

Test script:

Expected result:
OPcache in PHP-FPM should show only the scripts cached within the same pool.

Actual result:
OPcache in PHP-FPM shows all scripts that are cached within the same PHP-FPM version.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-22 13:46 UTC]
-Assigned To: +Assigned To: bukka
 [2021-12-22 13:46 UTC]
Looks like there is only one OPcache SHM for all FPM pools.

Jakub, could you please have a look at this?
 [2021-12-22 20:44 UTC]
This is known issue and it's a current design of FPM where MINIT is done on master level and the shared memory is allocated just once. I think the best solution for that would be introducing a process manager that would control pool process and do MINIT but that's quite a lot of work so it will take some time.

In any case this is not a security issue because pools are not considered as a security mechanism (read they don't provide full separtion). It is certainly not anything that we can change in the bug fixing release as it will require significant refactoring. This is a feature request though.
 [2021-12-22 21:58 UTC]
-Type: Security +Type: Feature/Change Request
 [2021-12-22 21:58 UTC]
Thanks for the clarification!  I added that info to the PHP

[1] <>
 [2023-08-23 11:15 UTC] truongthaietc50 at gmail dot com
The opcache.restrict_api directive in PHP's OPCache extension is designed to limit the exposure of OPCache management functions to specific scripts, enhancing security. However, as of my last update in September 2021, there were instances where this directive might not function as expected when used with PHP-FPM (FastCGI Process Manager). 

In some setups, especially with multiple PHP-FPM pools or versions, the restriction might not take effect due to how PHP-FPM processes are managed and how OPCache contexts are shared. If you're encountering issues with opcache.restrict_api and PHP-FPM, consider updating PHP to the latest version, checking for any reported bugs or patches, and reviewing the PHP-FPM and OPCache configuration interactions.  (
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Mar 04 22:01:30 2024 UTC