CVE-2014-0185: PHP-FPM sockets unavailable after updating PHP

Mattias Geniar, Tuesday, May 13, 2014 - last modified: Sunday, August 2, 2015

Reference: CVE-2014-0185

A few days ago, a security update to PHP was released that corrected the default permissions on the listening socket that PHP-FPM would create. If your PHP-FPM pool had a configuration like the one below, without an explicit owner/group/mode, it would default to user root, group root and mode 0666 (the snippet below is the default content of the php-fpm pool configuration).

;listen.owner = nobody
;listen.group = nobody
;listen.mode = 0666

The example above is in comments (note the lines starting with a semicolon), so wasn't active. That means the defaults of root/root/0666 were active. Sockets were created with the following permissions (read- and writable by all).

~# stat /var/run/php-fpm/pool.sock
...
Access: (0666/srw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)

The recent update to PHP (as of 5.3.38, 5.4.28 and 5.5.11) changes those default permissions, if not explicitly defined, to 0660. Meaning the socket is now only readable/writable by user root and group root. If your configuration depended on the "other" privileges being correct (meaning anyone can write to the socket and have it execute as the user php-fpm was executing as), your config will now break. These are the new default permissions.

~# stat /var/run/php-fpm/pool.sock
...
Access: (0660/srw-rw----)  Uid: (    0/    root)   Gid: (    0/    root)

So a more safe 0660 for everyone. Your Apache or Nginx logs can however trigger an error like this after the update, because the socket is unavailable to them.

HTTP/1.1 500 Internal Server Error
...

[error] [client 127.0.0.1] (13)Permission denied: FastCGI: failed to connect to server "/var/www/cgi-bin/http-socket.fcgi": connect() failed
[error] [client 127.0.0.1] FastCGI: incomplete headers (0 bytes) received from server "/var/www/cgi-bin/http-socket.fcgi"
...
127.0.0.1 - - [x/x/2014:00:00:00 +0200] "HEAD / HTTP/1.1" 500 - "-"

There's no reason to change your Apache configurations or FastCGI configs. The fix is in applying the correct permissions in your PHP-FPM pool configuration. Uncomment the listen.* parameters and set them explicitly.

listen.owner = httpd
listen.group = httpd
listen.mode = 0660

Remember: it's the webserver that is passing the request on to PHP-FPM, so the user that is running as the webserver needs read/write permissions on the Socket. In the case of Apache, that may be the 'httpd' or 'www-data' user, in the case of Nginx that'll be the 'nginx' user.

If you're struggling with permissions and need a quick resolution, you can change your PHP-FPM pool configuration (temporarily!!) back to the default permissions of earlier:

...
listen.mode = 0666

The new permissions and owner/group are only applied once you restart your PHP-FPM daemon.

If you're struggling with a PHP configuration no longer working after an PHP update, triggering HTTP 500 errors and throwing messages in your error logs about "failed to connect to server" (FastCGI), keep this in mind.

More info can be found on the PHP Sec Bug #67060: sapi/fpm: possible privilege escalation due to insecure default configuration page.


Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. If you're interested in keeping up with me, have a look at my podcast and weekly newsletter below. For more updates, follow me on Twitter as @mattiasgeniar.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

maltris Monday, May 26, 2014 at 13:16

German article on this from me: http://coders-home.de/php-fpm-mit-unix-sockets-und-php-5-5-12-502-bad-gateway-528.html

I also liked your english article on the german one. :)

Cheers

Reply


Mike Monday, June 2, 2014 at 17:43

I thought so! Newly provisioned server wasn’t working after giving it some fresh updates and I noticed the subtle different in the config files. Your article confirms it. Thanks for sharing.

Reply


didifsx Sunday, August 3, 2014 at 22:36

This post helped me so much, I was getting error 500 and this part “Uncomment the listen.* parameters and set them explicitly.” fixed it.

Thanks

Reply


Leave a Reply

Your email address will not be published. Required fields are marked *