SOLVED Zend OPcache and PHP-FPM

There was some discussion regarding opcache and PHP-FPM in the Enhanced FPM support feature request. Comments for that feature request is now closed (admittedly the discussion of opcaching was probably a bit off topic).

Discussion about opcache and PHP-FPM brought up disclosure information in using Zend Opcache. None of that really seemed to get resolved and I'm not sure if it's really cPanel's place to resolve it, but I'm just wondering if there is a consensus on any of this.

Someone please correct me if I am wrong.

Am I right in saying that the only information disclosure in regards to Zend Opcache is that filenames and paths can be disclosed across different VirtualHosts?

If opcache.use_cwd is enabled, then information (i.e. PHP code, potentially database log in information) in duplicate filenames is not cached and shared across multiple VirtualHosts, correct? opcache.use_cwd is enabled by default.

By using opcache_get_status() filenames and paths to other cached files can be disclosed across multiple VirtualHosts. But if PHP-FPM is set up to use a chroot or if open_basedir is enabled and system()-like functions are disabled, then information in those files cannot be disclosed. Correct?

Would adding opcache_get_status() to the disable_functions list, basically stop this filename disclosure?


In the feature request discussion, I proposed using Xcache as an alternative to Zend Opcache for PHP 5.6 (and I suppose PHP 5.5). Xcache is not compatible with PHP 7 or PHP 7.1, so it's not an option for those. Xcache presents two configuration variables xcache.var_namespace_mode and xcache.var_namespace which should (I think?) resolve issues with information disclosure between multiple VirtualHosts (or users). Ideally, something similar to this would be added to Zend Opcache. Adding this functionality to Zend Opcache would seem to fall on the shoulders of PHP and not on cPanel. But is the above workaround enough of a solution to stop any harmful information disclosure?

 

That is all referring to chroot in php-fpm. That's... not really what this topic is about.

This topic is about Zend Opcache and information disclosure. Chrooting doesn't really do anything in regards to that.

All chrooting can do - if I'm understanding all of this correctly - is prevent someone from potentially reading other VirtualHost's files. Without disabling the opcache_*() functions, then VirtualHost#2 can potentially see what files exist on VirtualHost#1. I'm not sure if that amount of information disclosure is really all that condemning but it is an information disclosure hole.

That's why I'm asking the question. I'm not sure on all of this.

If you still don't understand what I'm talking about, let me know and I'll see if I can explain it better. If anybody else knows what I'm talking about and can think of another way of explaining it, please do so. I feel like I'm not explaining this good enough. It makes sense to me, but that doesn't mean that it makes sense to other people.

 

What version of cPanel are you using? Did cPanel change the way PHP-FPM is run in cPanel 58 or cPanel 60?

 

I'm still running cPanel 56 and using the documented instructions for PHP-FPM (which I think cPanel says not to use now, but at the time who knew when cPanel would get around to integrating their own PHP-FPM setup... which I'm not entirely sure they have done yet).

I don't really think there is going to be a way around this, unless you run a php-fpm master process for each user (which I don't think is feasible) or until Zend OpCache is patched to utilize something like Xcache's namespace, or you could use Xcache for PHP 5.6. The shared opcache space is always going to be there. But by disabling the opcache_*() functions you are at least limiting (perhaps closing?) the ability for end users to obtain information about other VirtualHosts on the server.

At least that's my thoughts on it. Was hoping to get some other's thoughts/input/discussion.


To see what API PHP is using for a specific VirtualHost, you can create a phpinfo page on the VirtualHost and then visit the VirtualHost's phpinfo page and note the Server API

 

This is what I'm wondering to. The data is still there in the "shared pool" but can the actual data be accessed by other VirtualHosts? All disabling the opcache_*() functions is doing is preventing or making it more difficult for other users to see that data. And as you say there's really nothing inherently insecure about disclosing files and file paths as long as the code in those files is not disclosed. Sure, VirtualHost#2 can find out that VirtualHost#1 has a file at /home/user1/public_html/secret.php but as long as they can't what's in that file, it's not a huge deal.

I do know that if you disable opcache.use_cwd then data can be accessed across different VirtualHosts. There's information on this in PHP's bug report - PHP :: Bug #67481 :: Opcache uses wrong file from cache - which is slightly dated and it's worth mentioning that opcache.use_cwd is enabled by default, so the best I can tell that is not an issue.

 

Or perhaps nobody is aware that this is an issue or a potential issue.

I'm somewhat inclined to believe that the chance of any data compromise is very low. The file path information leak is somewhat concerning, but as you say, it's not really a dealbreaker and from what I can tell that can be mitigated by blocking access to the opcache_*() functions.

Zend may be seeing PHP access as a single-user platform instead of the multi-user platform that shared hosting is. In a single-user environment and information or data disclosure wouldn't seem to be a bit deal, because if everything is owned by that one user, then that one user has access to everything already.

 

It's not really a cPanel issue, it's a Zend or PHP issue.

Create two VirtualHosts setup with different PHP-FPM pools (we'll call them example1.tld and example2.tld). With different user pools (i.e. user1 and user2).

Create a PHP file (i.e. "Hello World") on example1.tld, and visit it, i.e. http://example1.tld/hello.php

PHP:

<?php
print("Hello World");
?>


Now on example2.tld create a cache.php file:

PHP:

<pre>
<?php
print_r(opcache_get_status());
?>
</pre>


Now visit http://example2.tld/cache.php

Note how example2.tld can learn of files that exist on example1.tld

Code:

[scripts] => Array
    (
        [/home/user1/public_html/hello.php] => Array
        (
            [full_path] => /home/user1/public_html/hello.php

This may be making a mountain out of a molehill. Does it disclose anything important? Not really. At least that I know of. But it does disclose path information. Since example2.tld can see the files that have been accessed on example1.tld, is it possible for example2.tld to read the contents of that cached data from example1.tld? If so, then that's a concern.

How does this rate on disturbing people? I don't know. But something to think about if you are using or want to use Zend OpCache any shared hosting environment.