Hi, It seems to me a workaround for this bug is to run the systemd unit of the PHP-FPM process as `www-data`. This should mitigate the privilege escalation because the process would escalate from `www-data` to... well, `www-data`.
Obviously that doesn't work if you have multiple pools running as
different users.
Three files need to be changed for this to take effect:
# cat /etc/systemd/system/php7.3-fpm.service.d/override.conf
[Service]
# mitigation for possible privilege escalations in php-fpm
# (e.g. CVE-2021-21703): do not run the master as root
User=www-data
# cat /etc/php/7.3/fpm/pool.d/00-rootless-logs.conf
[global]
; default value from Debian: /var/log/php7.3-fpm.log
error_log = /var/log/php/fpm.log
# cat /etc/logrotate.d/php7.3-fpm
/var/log/php/fpm.log {
rotate 12
weekly
missingok
notifempty
compress
delaycompress
postrotate
/usr/lib/php/php7.3-fpm-reopenlogs
endscript
}
php-fpm and systemd needs to be reloaded as well:
systemctl daemon-reload
systemctl restart php7.3-fpm
This should also be possible in the `init.d` sysvinit script, I leave
that as an exercise for the reader.
a.
--
My passionate sense of social justice and social responsibility has
always contrasted oddly with my pronounced lack of need for direct
contact with other human beings and communities. I am truly a "lone
traveler" and have never belonged to my country, my home, my friends,
or even my immediate family, with my whole heart; in the face of all
these ties, I have never lost a sense of distance and a need for
solitude.
- Albert Einstein
signature.asc
Description: PGP signature
