Restricting "php-fpm" to a particular directories

To: pkgsrc-users%NetBSD.org@localhost
Subject: Restricting "php-fpm" to a particular directories
From: Matthias Scheler <tron%zhadum.org.uk@localhost>
Date: Sat, 22 Mar 2014 11:55:52 +0000

        Hello,

after reading this thread ...

        http://mail-index.netbsd.org/tech-pkg/2014/03/17/msg012773.html

... on the "tech-pkg" mailing list I had a look at PHP-FPM. The Apache
wiki under http://wiki.apache.org/httpd/PHP-FPM contains the following
configuration example:

        ProxyPassMatch ^/(.*\.php(/.*)?)$ 
fcgi://127.0.0.1:9000/path/to/your/documentroot/$1

This looks to me like PHP-FPM accepts arbitrary path names to PHP scripts
over its FCGI socket. So a local user could write a PHP script that kills
various Apache or PHP-FPM processes and run it via the FCGI interface
with the right user id.

This looks like a big security whole to me. What am I missing?

        Kind regards

-- 
Matthias Scheler                                 https://zhadum.org.uk/

Prev by Date: Re: Problem building security/putty on Linux
Next by Date: Re: New package x11/terminator [patch]
Previous by Thread: Problem building security/putty on Linux
Next by Thread: pkg requires gcc44 or later, but won't use existing gcc46?
Indexes:

Home | Main Index | Thread Index | Old Index