Fix bug #67060: use default mode of 660

3 files changed, 6 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index a8081dfcc1..692b816fad 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,6 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-17 Apr 2014, PHP 5.4.28 RC1
+01 May 2014, PHP 5.4.28
 
 - Core:
   . Fixed bug #61019 (Out of memory on command stream_get_contents). (Mike)
@@ -30,6 +30,8 @@ PHP                                                                        NEWS
 
 - FPM:
   . Fixed bug #66482 (unknown entry 'priority' in php-fpm.conf). 
+  . Fixed bug #67060 (sapi/fpm: possible privilege escalation due to insecure 
+    default configuration) (CVE-2014-0185). (Stas)
 
 - JSON:
   . Fixed bug #66021 (Blank line inside empty array/object when
diff --git a/sapi/fpm/fpm/fpm_unix.c b/sapi/fpm/fpm/fpm_unix.c
index 48249e8a49..ea0e67369c 100644
--- a/sapi/fpm/fpm/fpm_unix.c
+++ b/sapi/fpm/fpm/fpm_unix.c
@@ -35,7 +35,7 @@ int fpm_unix_resolve_socket_premissions(struct fpm_worker_pool_s *wp) /* {{{ */
 	/* uninitialized */
 	wp->socket_uid = -1;
 	wp->socket_gid = -1;
-	wp->socket_mode = 0666;
+	wp->socket_mode = 0660;
 
 	if (!c) {
 		return 0;
diff --git a/sapi/fpm/php-fpm.conf.in b/sapi/fpm/php-fpm.conf.in
index 1e70f2c1c1..9205d42239 100644
--- a/sapi/fpm/php-fpm.conf.in
+++ b/sapi/fpm/php-fpm.conf.in
@@ -166,10 +166,10 @@ listen = 127.0.0.1:9000
 ; permissions must be set in order to allow connections from a web server. Many
 ; BSD-derived systems allow connections regardless of permissions. 
 ; Default Values: user and group are set as the running user
-;                 mode is set to 0666
+;                 mode is set to 0660
 ;listen.owner = @php_fpm_user@
 ;listen.group = @php_fpm_group@
-;listen.mode = 0666
+;listen.mode = 0660
  
 ; List of ipv4 addresses of FastCGI clients which are allowed to connect.
 ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original