-
-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Systemd services should be hardened #2050
Comments
That is not true for Ubuntu. I just checked the service file on Ubuntu 22.04 (PHP 8.1): there are no hardening features enabled whatsoever. Additionally, changing hardening options has the potential to break applications. For instance, setting NoNewPrivileges=true will prevent PHP from sending mail via sendmail. I am not against hardening, but I think this should not be done by some minor update. Maybe introducing it with the next release, 24.04, would be acceptable. Additionally, you can enable the hardening features yourself using systemctl edit. |
I've seen this too many times already. I guess |
Understood, I will close this issue. |
You didn’t have to close the issue, but I need to hear from people running servers, what are the safe options to add. |
I never had issue adding PrivateTmp=true and ProtectSystem=full for php-fpm. |
You can't really make a one-size-fits-all configuration for php-fpm since it's used to run thousands of applications all of which have their own needs. I have a rather strict drop-in (with Upstream php repo has a pretty tame service unit that all *sensible* applications should work with: https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in If anything this repo could adopt the upstream template but shouldn't add anything on top: Sandbox-related issues are very hard to diagnose. All you get is generic "No such file or directory" or "Permission denied" errors. The very same errors you commonly hit when messing up file permissions or a path in some config - making it nearly impossible to google for. Even worse when the issue would be sury-specific. On Debian 12 I additionally use the following:
Not security-related but nice to have:
|
I guess it makes sense to merge the upstream to what we already have: |
Frequently asked questions
Is your feature request related to a problem? Please describe.
Hardening of the PHP-FPM systemd units has been implemented by the PHP devs and Distros like Ubuntu and CentOS.
Describe the solution you'd like
I would like to see some hardening applied to the systemd services. E.g. PrivateTmp=true is a standard feature of default PHP-FPM units from Ubuntu and CentOS repositories.
Distribution (please complete the following information):
Package(s) (please complete the following information):
php*-fpm
Additional context
The default configuration for PHP 8.1 does not include any security measures:
For comparison, a unit file from CentOS repos:
The text was updated successfully, but these errors were encountered: