Date: Fri, 29 Apr 2016 09:12:07 +0200 From: Niklaas Baudet von Gersdorff <stdin@niklaas.eu> To: freebsd-questions@freebsd.org Subject: Re: Why is www's $PATH only /usr/bin:/bin? Message-ID: <20160429071207.GB43096@box-fra-01.niklaas.eu> In-Reply-To: <CAKoxK%2B7n0PZsqAtZAG-R_VsXmxZwC0iKafqzM6Hkh8LnZNY6Vg@mail.gmail.com> <CAKoxK%2B5QDtcHPZyVTwG2eUC2ncfLCwePaL=FsXHe1UQMdAbD3Q@mail.gmail.com> <20160428140606.246aaeb8@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
RW via freebsd-questions [2016-04-28 14:06 +0100] : > I forget to mention that you can set environmental variables in rc.conf, > e.g. > > apache24_env="FOO=YES PATH=/bin:/usr/sbin:/usr/bin" Very interesting indeed! Luca Ferrari [2016-04-29 08:06 +0200] : > On Fri, Apr 29, 2016 at 5:00 AM, Bertram Scharpf > <lists@bertram-scharpf.de> wrote: > > A nice thing. Tried it. Thanks. May be a documentation bug > > that I never heard about that. Could it turn out to be a > > security hole (probably not)? > > > > I don't think it is less secure than setting the environment for the > apache user directly (init file, shell file, ecc). > However, there is a risk: this is activating the path/environment for > every application, while probably it is a better idea to set it up > only for processes running a specific application (the OP PHP one). > In other words, I would use this "trick" only for jailed daemons. Luca Ferrari [2016-04-28 12:51 +0200] : > Another way, less dynamic but I suspect a little more robust, is to > use a deployment that creates/adjusts the right path to the right > command. For instance you can have a PHP config file with variables > that point to commands (full path) and have a deployment script to > adjust such values to installations. > I use this technique when placing the same application over sligthly > different servers. So, to keep you updated, my nginx.conf looks like this now: ------- 8< ------- location ~ \.php$ { fastcgi_pass unix:/var/run/php-fpm-something.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } ------- >8 ------- The crux is that php-fpm does the following (from php-fpm.conf): ------- 8< ------- ; Clear environment in FPM workers ; Prevents arbitrary environment variables from reaching FPM worker processes ; by clearing the environment in workers before env vars specified in this ; pool configuration are added. ; Setting to "no" will make all environment variables available to PHP code ; via getenv(), $_ENV and $_SERVER. ; Default Value: yes ;clear_env = no ------- >8 ------- So I guess that even if I had configured the environment variables of the user of either NGINX or php-fpm I would have ended up with the same $PATH. While some references claim that adding something like fastcgi_param PATH /usr/local/bin:/usr/bin:/bin; to nginx.conf works, it doesn't. The only way (despite Luca's to write a wrapper) is to alter environmental variables with something like env[PATH] = /usr/local/bin:/usr/bin:/bin in php-fpm.conf. Since I don't want every server process to set the altered version of the standard $PATH, I created an additional pool at the end of php-fpm.conf [www-something] user = www group = www listen = /var/run/php-fpm-something.sock # !!! listen.owner = www listen.group = www listen.mode = 0660 pm = dynamic # mandatory pm.max_children = 5 # mandatory pm.start_servers = 2 # mandatory pm.min_spare_servers = 1 # mandatory pm.max_spare_servers = 3 # mandatory env[PATH] = /usr/local/bin:/usr/bin:/bin # !!! that specifies env[PATH] as needed and use that particular pool for the server process that runs the app in question (see also nginx.conf above): fastcgi_pass unix:/var/run/php-fpm-something.sock; Also see http://serverfault.com/questions/418952/setting-path-for-weberver-user This way I could set $PATH in PHP as needed. Thanks again for the enlightening comments! Niklaas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160429071207.GB43096>