php5-fpm: Possible privilege escalation due to insecure default permissions of sockets
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php |
Unknown
|
Unknown
|
|||
php5 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Installing php5-fpm results in a default worker being defined in /etc/php5/
This worker is started automatically.
Current results:
php-fpm's default config / compiled-in config results in a world-writable socket:
$ ls -la /var/run/
srw-rw-rw- 1 root root 0 Apr 12 11:29 /var/run/
In other words: arbitrary (PHP) code execution as the www-data user is possible for any local user or other any user with the ability to connect to a UNIX socket.
Expected results:
/var/run/
Only the default web server user (www-data) should be able to run arbitrary PHP code this way.
Also, the default config should advise against using such permissions.
Please also note that more sophisticated setups may be affected as well (and with even worse implications). Any shared-hosting environment is affected, except any non-default listen.mode value has been set.
I have filed an upstream bug [1] for this issue. It contains further information along with relevant sources & reproduce examples.
The bug is marked private, which is why I am attaching a PDF dump for now.
I am planning to inform <email address hidden> once I have heard back from the PHP security team, so I guess it would be best if no fixes would be commited to public repositories yet.
$ lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04
$ apt-cache policy php5-fpm
php5-fpm:
Installed: 5.5.9+dfsg-1ubuntu4
Candidate: 5.5.9+dfsg-1ubuntu4
Version table:
*** 5.5.9+dfsg-1ubuntu4 0
500 ftp://mirror.
100 /var/lib/
Changed in php5 (Ubuntu): | |
status: | New → Triaged |
information type: | Private Security → Public Security |
Upstream has provided a fix meanwhile (patch attached). As Ubuntu's default config differs, this part will probably have to be applied manually.
Information has been sent to the distros@ list.
Suggested embargo lift date is 2014-04-29, php-5.4.28, which includes the fix, will be released shortly after (~May 1st).