Set CLOEXEC on listened/accepted sockets in the FPM children

Mikhail Galanin · Mikhail Galanin · commit 4aba136e1cad · 2023-07-28T13:33:58.000+01:00
diff --git a/main/fastcgi.c b/main/fastcgi.c
@@ -1423,6 +1423,10 @@ int fcgi_accept_request(fcgi_request *req)
 					return -1;
 				}
 
+				if (0 > fcntl(req->fd, F_SETFD, fcntl(req->fd, F_GETFD) | FD_CLOEXEC)) {
+					fcgi_log(FCGI_WARNING, "failed to change attribute of error_log");
+				}
+
 #ifdef _WIN32
 				break;
 #else
diff --git a/sapi/fpm/fpm/fpm_children.c b/sapi/fpm/fpm/fpm_children.c
@@ -167,6 +167,25 @@ struct fpm_child_s *fpm_child_find(pid_t pid) /* {{{ */
 }
 /* }}} */
 
+static int fpm_child_cloexec(void)
+{
+	/* If PHP code invokes pcntl_fork()/exec(), we don't want the external programm to inherit the descriptor.
+		If the external process accidentally uses the socket it will likely break the communication */
+	int attrs = fcntl(fpm_globals.listening_socket, F_GETFD);
+	if (0 > attrs) {
+		zlog(ZLOG_WARNING, "failed to get attributes of listening socket, errno: %d", errno);
+		return -1;
+	}
+
+	/* set CLOEXEC to prevent the descriptor leaking to child processes */
+	if (0 > fcntl(fpm_globals.listening_socket, F_SETFD, attrs | FD_CLOEXEC)) {
+		zlog(ZLOG_WARNING, "failed to change attribute of listening socket");
+		return -1;
+	}
+
+	return 0;
+}
+
 static void fpm_child_init(struct fpm_worker_pool_s *wp) /* {{{ */
 {
 	fpm_globals.max_requests = wp->config->pm_max_requests;
@@ -178,7 +197,8 @@ static void fpm_child_init(struct fpm_worker_pool_s *wp) /* {{{ */
 	    0 > fpm_unix_init_child(wp)   ||
 	    0 > fpm_signals_init_child()  ||
 	    0 > fpm_env_init_child(wp)    ||
-	    0 > fpm_php_init_child(wp)) {
+	    0 > fpm_php_init_child(wp)    ||
+	    0 > fpm_child_cloexec()) {
 
 		zlog(ZLOG_ERROR, "[pool %s] child failed to initialize", wp->config->name);
 		exit(FPM_EXIT_SOFTWARE);
diff --git a/sapi/fpm/tests/listen-socket-closed-on-exec.phpt b/sapi/fpm/tests/listen-socket-closed-on-exec.phpt
@@ -0,0 +1,72 @@
+--TEST--
+FPM: Set CLOEXEC on the listen socket
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+<?php
+if (!in_array(PHP_OS_FAMILY, ['Linux', 'Darwin'], true)) {
+    die("skip: only can work on Linux or macOS\n");
+}
+?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<'EOT'
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = static
+pm.max_children = 1
+pm.status_listen = {{ADDR[status]}}
+pm.status_path = /status
+env[PATH] = $PATH
+EOT;
+
+
+$code = <<<'EOT'
+<?php
+
+echo "My sockets (expect to see 2 of them):\n";
+
+$mypid = getmypid();
+$ph = popen("lsof -Pn -p$mypid 2>&1 | grep TCP", 'r');
+echo stream_get_contents($ph);
+pclose($ph);
+
+echo "\n\n";
+
+echo "Sockets after exec(), expected to be empty:\n";
+$ph = popen("lsof -Pn -p\$\$ 2>&1 | grep TCP", 'r');
+var_dump(stream_get_contents($ph));
+pclose($ph);
+
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$tester->request()->printBody();
+usleep(100000);
+//$tester->status($expectedStatusData, '{{ADDR[status]}}');
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+
+?>
+Done
+--EXPECTF--
+My sockets (expect to see 2 of them):
+%S
+%S
+
+
+Sockets after exec(), expected to be empty:
+string(0) ""
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>
