diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-04-15 10:43:24 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-05-11 23:32:35 -0700 |
| commit | 8a22540a95db7c8a9857efc2ced8b91ceffda238 (patch) | |
| tree | 8e814f00c0d45517b296bf9e87ea048bc98d6166 | |
| parent | 4b48b299885bf0e2f2c72902b072c28f255e8f68 (diff) | |
| download | php-git-8a22540a95db7c8a9857efc2ced8b91ceffda238.tar.gz | |
Fix bug #67060: use default mode of 660
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | sapi/fpm/fpm/fpm_unix.c | 2 | ||||
| -rw-r--r-- | sapi/fpm/php-fpm.conf.in | 4 |
3 files changed, 7 insertions, 3 deletions
@@ -10,6 +10,10 @@ PHP NEWS . Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420). (Stefan Esser). +- FPM: + . Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure + default configuration) (CVE-2014-0185). (Stas) + 11 Jul 2013, PHP 5.3.27 - Core: diff --git a/sapi/fpm/fpm/fpm_unix.c b/sapi/fpm/fpm/fpm_unix.c index 48249e8a49..ea0e67369c 100644 --- a/sapi/fpm/fpm/fpm_unix.c +++ b/sapi/fpm/fpm/fpm_unix.c @@ -35,7 +35,7 @@ int fpm_unix_resolve_socket_premissions(struct fpm_worker_pool_s *wp) /* {{{ */ /* uninitialized */ wp->socket_uid = -1; wp->socket_gid = -1; - wp->socket_mode = 0666; + wp->socket_mode = 0660; if (!c) { return 0; diff --git a/sapi/fpm/php-fpm.conf.in b/sapi/fpm/php-fpm.conf.in index 44e4dbac08..e8efc7020a 100644 --- a/sapi/fpm/php-fpm.conf.in +++ b/sapi/fpm/php-fpm.conf.in @@ -158,10 +158,10 @@ listen = 127.0.0.1:9000 ; permissions must be set in order to allow connections from a web server. Many ; BSD-derived systems allow connections regardless of permissions. ; Default Values: user and group are set as the running user -; mode is set to 0666 +; mode is set to 0660 ;listen.owner = @php_fpm_user@ ;listen.group = @php_fpm_group@ -;listen.mode = 0666 +;listen.mode = 0660 ; List of ipv4 addresses of FastCGI clients which are allowed to connect. ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original |