Date: Fri, 29 Apr 2016 09:12:07 +0200 From: Niklaas Baudet von Gersdorff <stdin@niklaas.eu> To: freebsd-questions@freebsd.org Subject: Re: Why is www's $PATH only /usr/bin:/bin? Message-ID: <20160429071207.GB43096@box-fra-01.niklaas.eu> In-Reply-To: <CAKoxK%2B7n0PZsqAtZAG-R_VsXmxZwC0iKafqzM6Hkh8LnZNY6Vg@mail.gmail.com> <CAKoxK%2B5QDtcHPZyVTwG2eUC2ncfLCwePaL=FsXHe1UQMdAbD3Q@mail.gmail.com> <20160428140606.246aaeb8@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
RW via freebsd-questions [2016-04-28 14:06 +0100] :
> I forget to mention that you can set environmental variables in rc.conf,
> e.g.
>
> apache24_env="FOO=YES PATH=/bin:/usr/sbin:/usr/bin"
Very interesting indeed!
Luca Ferrari [2016-04-29 08:06 +0200] :
> On Fri, Apr 29, 2016 at 5:00 AM, Bertram Scharpf
> <lists@bertram-scharpf.de> wrote:
> > A nice thing. Tried it. Thanks. May be a documentation bug
> > that I never heard about that. Could it turn out to be a
> > security hole (probably not)?
> >
>
> I don't think it is less secure than setting the environment for the
> apache user directly (init file, shell file, ecc).
> However, there is a risk: this is activating the path/environment for
> every application, while probably it is a better idea to set it up
> only for processes running a specific application (the OP PHP one).
> In other words, I would use this "trick" only for jailed daemons.
Luca Ferrari [2016-04-28 12:51 +0200] :
> Another way, less dynamic but I suspect a little more robust, is to
> use a deployment that creates/adjusts the right path to the right
> command. For instance you can have a PHP config file with variables
> that point to commands (full path) and have a deployment script to
> adjust such values to installations.
> I use this technique when placing the same application over sligthly
> different servers.
So, to keep you updated, my nginx.conf looks like this now:
------- 8< -------
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm-something.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
------- >8 -------
The crux is that php-fpm does the following (from php-fpm.conf):
------- 8< -------
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
------- >8 -------
So I guess that even if I had configured the environment variables of the user
of either NGINX or php-fpm I would have ended up with the same $PATH. While
some references claim that adding something like
fastcgi_param PATH /usr/local/bin:/usr/bin:/bin;
to nginx.conf works, it doesn't. The only way (despite Luca's to write
a wrapper) is to alter environmental variables with something like
env[PATH] = /usr/local/bin:/usr/bin:/bin
in php-fpm.conf. Since I don't want every server process to set the altered
version of the standard $PATH, I created an additional pool at the end of
php-fpm.conf
[www-something]
user = www
group = www
listen = /var/run/php-fpm-something.sock # !!!
listen.owner = www
listen.group = www
listen.mode = 0660
pm = dynamic # mandatory
pm.max_children = 5 # mandatory
pm.start_servers = 2 # mandatory
pm.min_spare_servers = 1 # mandatory
pm.max_spare_servers = 3 # mandatory
env[PATH] = /usr/local/bin:/usr/bin:/bin # !!!
that specifies env[PATH] as needed and use that particular pool for the server
process that runs the app in question (see also nginx.conf above):
fastcgi_pass unix:/var/run/php-fpm-something.sock;
Also see
http://serverfault.com/questions/418952/setting-path-for-weberver-user
This way I could set $PATH in PHP as needed. Thanks again for the enlightening
comments!
Niklaas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160429071207.GB43096>