#1009964 - php-fpm.service should be hardened

Debian Bug report logs - #1009964
php-fpm.service should be hardened

Reported by: Andrea Pappacoda <andrea@pappacoda.it>

Date: Thu, 21 Apr 2022 11:27:01 UTC

Severity: normal

Tags: patch

Found in version php-defaults/76

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <team+pkg-php@tracker.debian.org>:
Bug#1009964; Package php-fpm. (Thu, 21 Apr 2022 11:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andrea Pappacoda <andrea@pappacoda.it>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <team+pkg-php@tracker.debian.org>. (Thu, 21 Apr 2022 11:27:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: php-fpm Version: 2:7.4+76 Severity: normal Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I think that the php-fpm systemd service should be hardened. php's security is particularly important, as it is a widely used, long-running service with a lot of responsibilities and privileges. Upstream has been shipping an hardened systemd service for a few years[1][2], and I really think that Debian should do the same, if not better. I've been running php with a really strict set of hardenings for a while, but some of them are really tailored to my specific setup and can't be applied by default. I'm leaving an attached patch with some hardenings that I believe are safe to deploy for everyone. My setup is fairly limited though, and further testing is required. With the supplied configuration, `systemd-analyze security php7.4-fpm` reports an overall exposure level of 2.3, and that's extremely good if compared to the 9.6 score of the current unit :D Thanks for your work on the php packages! 1: https://bugs.php.net/72510 2: https://github.com/php/php- src/commit/40c4d7f1820df1872a71ab07fd26da45a203e37f - -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.16.0-6-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages php-fpm depends on: pn php8.1-fpm <none> php-fpm recommends no packages. php-fpm suggests no packages. -----BEGIN PGP SIGNATURE----- iIoEARYIADIWIQRm3vFSgpkMIZnvqAGooSioqxzuSQUCYmE+zBQcYW5kcmVhQHBh cHBhY29kYS5pdAAKCRCooSioqxzuScv0AQCi+nRjV57XdEX4adIrWGrcNDFGukWT sTsO/DEN1RFiLwEA2XMbOKPnr1bcdFFy1n01ePk4TjK2DO5mt6TpVpBDjA0= =3j1J -----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <team+pkg-php@tracker.debian.org>:
Bug#1009964; Package php-fpm. (Thu, 21 Apr 2022 13:42:04 GMT) (full text, mbox, link).

Acknowledgement sent to Andrea Pappacoda <andrea@pappacoda.it>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <team+pkg-php@tracker.debian.org>. (Thu, 21 Apr 2022 13:42:04 GMT) (full text, mbox, link).

Message #10 received at 1009964@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Attaching an updated patch, since the one I attached in the first message has `PrivateNetwork=true` in it, an that obviously breaks PHP

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Sep 19 16:05:17 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #1009964 php-fpm.service should be hardened

Debian Bug report logs - #1009964
php-fpm.service should be hardened