[eduVPN-deploy] php-fpm socket hardening
François Kooman
fkooman at tuxed.net
Mon Oct 16 16:13:36 CEST 2017
Hi,
By default php-fpm in CentOS and RHEL uses a TCP socket instead of a
filesystem socket. We switch to filesystem sockets for performance
reasons, however, the defaults are not ideal. The permissions of the
socket are "0666". This does not immediately create a vulnerability, but
we better secure it a bit more :)
Running the following commands fixes this:
$ sudo sed -i "s|;listen.mode = 0666|listen.mode = 0660|"
/etc/php-fpm.d/www.conf
$ sudo sed -i "s|;listen.group = nobody|listen.group = apache|"
/etc/php-fpm.d/www.conf
$ sudo systemctl restart php-fpm
The `deploy.sh` script was also updated.
Let me know if you have any questions!
Cheers,
François
More information about the eduVPN-deploy
mailing list