Why is www's $PATH only /usr/bin:/bin?

Niklaas Baudet von Gersdorff stdin at niklaas.eu
Fri Apr 29 07:12:09 UTC 2016


RW via freebsd-questions [2016-04-28 14:06 +0100] :

> I forget to mention that you can set environmental variables in rc.conf,
> e.g.
> 
>  apache24_env="FOO=YES PATH=/bin:/usr/sbin:/usr/bin"

Very interesting indeed!

Luca Ferrari [2016-04-29 08:06 +0200] :

> On Fri, Apr 29, 2016 at 5:00 AM, Bertram Scharpf
> <lists at bertram-scharpf.de> wrote:
> > A nice thing. Tried it. Thanks. May be a documentation bug
> > that I never heard about that. Could it turn out to be a
> > security hole (probably not)?
> >
> 
> I don't think it is less secure than setting the environment for the
> apache user directly (init file, shell file, ecc).
> However, there is a risk: this is activating the path/environment for
> every application, while probably it is a better idea to set it up
> only for processes running a specific application (the OP PHP one).
> In other words, I would use this "trick" only for jailed daemons.

Luca Ferrari [2016-04-28 12:51 +0200] :

> Another way, less dynamic but I suspect a little more robust, is to
> use a deployment that creates/adjusts the right path to the right
> command. For instance you can have a PHP config file with variables
> that point to commands (full path) and have a deployment script to
> adjust such values to installations.
> I use this technique when placing the same application over sligthly
> different servers.

So, to keep you updated, my nginx.conf looks like this now:

	-------	8< -------

	location ~ \.php$ {
		fastcgi_pass   unix:/var/run/php-fpm-something.sock;
		fastcgi_index  index.php;
		include        fastcgi_params;
		fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
	}

	-------	>8 -------

The crux is that php-fpm does the following (from php-fpm.conf):

	-------	8< -------

	; Clear environment in FPM workers
	; Prevents arbitrary environment variables from reaching FPM worker processes
	; by clearing the environment in workers before env vars specified in this
	; pool configuration are added.
	; Setting to "no" will make all environment variables available to PHP code
	; via getenv(), $_ENV and $_SERVER.
	; Default Value: yes
	;clear_env = no

	-------	>8 -------

So I guess that even if I had configured the environment variables of the user
of either NGINX or php-fpm I would have ended up with the same $PATH. While
some references claim that adding something like

    fastcgi_param  PATH  /usr/local/bin:/usr/bin:/bin;

to nginx.conf works, it doesn't. The only way (despite Luca's to write
a wrapper) is to alter environmental variables with something like

	env[PATH] = /usr/local/bin:/usr/bin:/bin

in php-fpm.conf. Since I don't want every server process to set the altered
version of the standard $PATH, I created an additional pool at the end of
php-fpm.conf

	[www-something]
	user = www
	group = www
	listen = /var/run/php-fpm-something.sock		# !!!
	listen.owner = www
	listen.group = www
	listen.mode = 0660
	pm = dynamic									# mandatory
	pm.max_children = 5								# mandatory
	pm.start_servers = 2							# mandatory
	pm.min_spare_servers = 1						# mandatory
	pm.max_spare_servers = 3						# mandatory
	env[PATH] = /usr/local/bin:/usr/bin:/bin		# !!!

that specifies env[PATH] as needed and use that particular pool for the server
process that runs the app in question (see also nginx.conf above):

    fastcgi_pass   unix:/var/run/php-fpm-something.sock;

Also see

    http://serverfault.com/questions/418952/setting-path-for-weberver-user

This way I could set $PATH in PHP as needed. Thanks again for the enlightening
comments!
    
    Niklaas


More information about the freebsd-questions mailing list