php-fpm Hardening

Features

Make .php file not in path defineded in funny_php.conf be invisible to php-fpm by LD_PRELOAD trick.
Compare with original php-fpm:

	php-fpm	php-fpm hardening (OSS Edition)	php-fpm hardening (Enterpise Edition)
PATH_NOT_TRUSTED/ANY.php	Happy executing...	No such file!	No such file!
Bind with Cloud SQL Proxy Hardening (Enterpise Edition)	No	No	Yes

Contact [email protected] for more infomation.

The funny_php.conf should be consist with two sections, and each path should be seperated by newline.

enable:
This section declares the paths where trusted .php files would be placed.
disable:
This section declares paths where .php files will not be visible to php-fpm.

Path found in both section would be treat as untrusted.

[enable]
/var/www/html
/var/www/project

[disable]
/var/www/html/uploads

Define trusted path and excluded path in funny_php.conf.
Move funny_php.conf to /.
- funny_php.conf MUST be place at / or php-fpm would exit with error.
Execute php-fpm like this: LD_PRELOAD=funny.so php-fpm

That's all!

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
LICENSE		LICENSE
Makefile.OSS		Makefile.OSS
README.md		README.md
funny.c		funny.c
funny.h		funny.h
funny_build.h		funny_build.h
funny_debug.c		funny_debug.c
funny_debug.h		funny_debug.h
funny_php.c		funny_php.c
funny_php.conf.example		funny_php.conf.example
funny_php.h		funny_php.h
main.c		main.c