I run PHP via FastCGI with nginx web server on Gentoo. PHP is started by spawn-fcgi script from lighttpd, which is started run as a daemon using start-stop-daemon. Among other things, startup scripts cleans-up environment, so that only PATH, PHP_FCGI_CHILDREN and PHP_FCGI_MAX_REQUESTS are left when PHP is started. However on my machine, additionally to those variables, in _SERVER I also see USER and HOME variables. Not only they are there, but they are also set to "root" and "/root" respectively, which is wrong as PHP is run as user "nobody" (confirmed using echo exec('whoami');). What is wrong with my install? How can I get rid of those variables that should not be there?
Asked
Active
Viewed 2,217 times
1 Answers
1
The fact that it shows "nobody" as the current user only means that it shed its privileges after starting up, not that it started up as nobody in the first place.
Ignacio Vazquez-Abrams
- 45,939
- 6
- 79
- 84
-
The exact line php is started is: env -i PATH=/lib/rc/sbin:/lib/rc/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin PHP_FCGI_CHILDREN=5 PHP_FCGI_MAX_REQUESTS=500 /sbin/start-stop-daemon --start --pidfile /var/run/spawn-fcgi/php-1.pid --exec /usr/bin/spawn-fcgi --name /usr/bin/php-cgi -- -a 127.0.0.1 -p 9000 -P /var/run/spawn-fcgi/php-1.pid -u nobody -g nobody -- /usr/bin/php-cgi So I am pretty shure it is started as "nobody", but from where _SERVER[“USER”] and _SERVER[“HOME”] creep in I have no idea. :( – Jul 17 '10 at 16:06
-
1`-u` and `-g` don't specify startup credentials. Only `su`/`sudo`/etc. can. – Ignacio Vazquez-Abrams Jul 17 '10 at 16:28
-
But shouldn't env -i prevent these variables from appearing in startup environment anyway? Now, here is most strangest thing: on another machine of mine with pretty much the same setup, except that it is 64bit machine, _SERVER[“USER”] and _SERVER[“HOME”] are not present! – Jul 17 '10 at 16:43