Hello,
from now on there is the possibility to harden PHP-FPM additionally. The packages php-(VERSION)-opt-hardened can be installed in addition to the PHP versions provided by us, e.g:
apt install php-8.3-opt-hardenedThese include a so-called drop-in for the respective systemd unit files in order to run the FPM pool manager with additional restrictions:
- the entire file system is "read-only", except for the mandatory paths (/run, /var/log, /var/www)
- no binary files may be executed below /var/www (e.g. uploaded malware)
- making it more difficult to obtain root rights by exploiting exploits (by restricting the capabilities)
- no more access to the central /tmp directory (open_basedir can be trivially bypassed in most PHP versions)
- Restriction of access to /dev/
- no kernel settings can be changed or kernel modules loaded
- no network sockets may be opened for incoming connections
All settings can be found (including comments and reference to the respective systemd documentation) at /lib/systemd/system/php(VERSION)-fpm.service.d/10-sandbox.conf. If individual settings cause problems in a specific case, they can be overwritten by an additional drop-in.
Please let us know if you encounter any problems or unexpected restrictions during operation. In the longer term, we plan to equip PHP-FPM with these restrictions by default. Further measures to increase server security are also being prepared.
The hardened packages are available for PHP 5.6 - 8.3 on Debian 10-12 and Ubuntu 18-22.
Best regards
-Klaus Keppler