Regression: php5-fpm's socket should be accessible by www-data by default

Bug #1334337 reported by Andrew Starr-Bochicchio on 2014-06-25
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Undecided
Unassigned
Saucy
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Unassigned

Bug Description

The recent security update to php5 broke common configurations for php5-fpm.

From IRC:

<asomething> mdeslaur, did you see jdub's comment in LP: #1307027?
<ubottu> Launchpad bug 1307027 in php5 (Ubuntu) "php5-fpm: Possible privilege escalation due to insecure default permissions of sockets" [Undecided,Fix released] https://launchpad.net/bugs/1307027
<asomething> I'm seeing the same thing. I seeing the same thing. Even on a fresh install I need to go edit /etc/php5/fpm/pool.d/www.conf to get php5-fpm working
<mdeslaur> asomething: yes, you need to either relax permissions, or configure it with the account whatever you're accessing it is using
* roadmr has quit (Quit: Good night)
<mdeslaur> asomething: whatever procedure you followed to configure integration between your web server and php-fpm needs to be modified
<asomething> hmm... ok. are you saying there is no secure default that will work out of the box? I can handle that, but it seems to break most documentation on the web
<mdeslaur> we could make it default to www-data perhaps...not sure that would cover all the use cases
<asomething> that seems to be the most common, but maybe I'm just not aware of other uses
<mdeslaur> if someone can file a bug, and attach a debdiff, I'll sponsor it for an SRU assuming the SRU team considers it an appropriate change
<mdeslaur> asomething: actually, just file a bug, and I'll push it out as a regression fix
<asomething> ok, will do
<mdeslaur> asomething: thanks
<infinity> mdeslaur: Yeah, that's a perfectly reasonable fix. All webservers in Debian/Ubuntu are meant to run as www-data, so that would cover the common case.
<infinity> mdeslaur: People with weird setups are on their own, but they already knew that.
<mdeslaur> infinity: ok, will do, thanks

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: php5-fpm 5.5.9+dfsg-1ubuntu4.1
ProcVersionSignature: Ubuntu 3.13.0-29.53-generic 3.13.11.2
Uname: Linux 3.13.0-29-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jun 25 11:34:20 2014
InstallationDate: Installed on 2014-04-08 (78 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Daily amd64 (20140408)
SourcePackage: php5
UpgradeStatus: No upgrade log present (probably fresh install)

Marc Deslauriers (mdeslaur) wrote :

Lucid doesn't ship fpm, Precise ships it listening on a local tcp port.
Only saucy and higher ship with a unix socket by default.

Changed in php5 (Ubuntu Utopic):
status: New → Fix Released
Changed in php5 (Ubuntu Saucy):
status: New → Confirmed
Changed in php5 (Ubuntu Trusty):
status: New → Confirmed
Changed in php5 (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in php5 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Jeff Waugh (jdub) wrote :

Thanks for picking this up!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.5.3+dfsg-1ubuntu2.5

---------------
php5 (5.5.3+dfsg-1ubuntu2.5) saucy-security; urgency=medium

  * SECURITY UPDATE: better FastCGI socket permissions (LP: #1334337)
    - debian/rules: enable listen.owner and listen.group so that the socket
      is accessible to www-data by default. This allows most setups to
      continue working with the more restrictive permissions.
 -- Marc Deslauriers <email address hidden> Wed, 25 Jun 2014 11:52:07 -0400

Changed in php5 (Ubuntu Saucy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.5.9+dfsg-1ubuntu4.2

---------------
php5 (5.5.9+dfsg-1ubuntu4.2) trusty-security; urgency=medium

  * SECURITY UPDATE: better FastCGI socket permissions (LP: #1334337)
    - debian/rules: enable listen.owner and listen.group so that the socket
      is accessible to www-data by default. This allows most setups to
      continue working with the more restrictive permissions.
 -- Marc Deslauriers <email address hidden> Wed, 25 Jun 2014 11:46:16 -0400

Changed in php5 (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers