Welcome! Log In Create A New Profile

Advanced

Fpm Vs suPhp security issues.

Posted by Renzo Racioppi 
Renzo Racioppi
Fpm Vs suPhp security issues.
June 03, 2013 04:32AM
Hi, A serious doubt has come into my mind. One of suPhp security issues is
that, Apache in order to use PHP under certain privileges launches a
wrapper as root and then this wrapper changed its uid into the interested
one. So an attacker that takes control of the wrapper before it changes its
uid, may deal serious damage to the system.

So...

HOW does Php-Fpm generate per-pool processes? By a brief look to the
source, especially fpm_worker_pool.h and fpm_unix.c seems like that Fpm
master process does a similar thing: Fpm master process as root forks
itself and then calls setuid with the given uid at the conf file. Many
sites say that fpm is more secure than suPhp, but at this time seems they
share a similar structural problem. If I understood this correctly, does
Fpm have the same security issues as suPhp, or there is something that I am
missing?

Regards

--

---
You received this message because you are subscribed to the Google Groups "highload-php-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to highload-php-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: Fpm Vs suPhp security issues.
June 11, 2013 03:26AM
There are always security issues when running any process as root, the point is to run them as a restricted user, php can run as a permanent process that processes calls without having to restart or exit using a socket or tcp port. If you need more then one php process create a pool as round robin or assigned as geographic ip pool.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 72
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready