Regression: php5-fpm's socket should be accessible by www-data by default
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| php5 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Saucy |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
| Trusty |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
| Utopic |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
The recent security update to php5 broke common configurations for php5-fpm.
From IRC:
<asomething> mdeslaur, did you see jdub's comment in LP: #1307027?
<ubottu> Launchpad bug 1307027 in php5 (Ubuntu) "php5-fpm: Possible privilege escalation due to insecure default permissions of sockets" [Undecided,Fix released] https:/
<asomething> I'm seeing the same thing. I seeing the same thing. Even on a fresh install I need to go edit /etc/php5/
<mdeslaur> asomething: yes, you need to either relax permissions, or configure it with the account whatever you're accessing it is using
* roadmr has quit (Quit: Good night)
<mdeslaur> asomething: whatever procedure you followed to configure integration between your web server and php-fpm needs to be modified
<asomething> hmm... ok. are you saying there is no secure default that will work out of the box? I can handle that, but it seems to break most documentation on the web
<mdeslaur> we could make it default to www-data perhaps...not sure that would cover all the use cases
<asomething> that seems to be the most common, but maybe I'm just not aware of other uses
<mdeslaur> if someone can file a bug, and attach a debdiff, I'll sponsor it for an SRU assuming the SRU team considers it an appropriate change
<mdeslaur> asomething: actually, just file a bug, and I'll push it out as a regression fix
<asomething> ok, will do
<mdeslaur> asomething: thanks
<infinity> mdeslaur: Yeah, that's a perfectly reasonable fix. All webservers in Debian/Ubuntu are meant to run as www-data, so that would cover the common case.
<infinity> mdeslaur: People with weird setups are on their own, but they already knew that.
<mdeslaur> infinity: ok, will do, thanks
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: php5-fpm 5.5.9+dfsg-
ProcVersionSign
Uname: Linux 3.13.0-29-generic x86_64
NonfreeKernelMo
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jun 25 11:34:20 2014
InstallationDate: Installed on 2014-04-08 (78 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Daily amd64 (20140408)
SourcePackage: php5
UpgradeStatus: No upgrade log present (probably fresh install)
| Andrew Starr-Bochicchio (andrewsomething) wrote | #1 |
| Marc Deslauriers (mdeslaur) wrote | #2 |
| Changed in php5 (Ubuntu Utopic): | |
| status: | New → Fix Released |
| Changed in php5 (Ubuntu Saucy): | |
| status: | New → Confirmed |
| Changed in php5 (Ubuntu Trusty): | |
| status: | New → Confirmed |
| Changed in php5 (Ubuntu Saucy): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in php5 (Ubuntu Trusty): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Jeff Waugh (jdub) wrote | #3 |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in php5 (Ubuntu Saucy): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote | #5 |
| Changed in php5 (Ubuntu Trusty): | |
| status: | Confirmed → Fix Released |
Lucid doesn't ship fpm, Precise ships it listening on a local tcp port.
Only saucy and higher ship with a unix socket by default.