FPM support at php::series7::hardened

author Silvio Rhatto <rhatto@riseup.net>

Thu, 12 Apr 2018 15:42:10 +0000 (12:42 -0300)

committer Silvio Rhatto <rhatto@riseup.net>

Thu, 12 Apr 2018 15:42:10 +0000 (12:42 -0300)
author Silvio Rhatto <rhatto@riseup.net>
Thu, 12 Apr 2018 15:42:10 +0000 (12:42 -0300)
committer Silvio Rhatto <rhatto@riseup.net>
Thu, 12 Apr 2018 15:42:10 +0000 (12:42 -0300)
diff --git a/manifests/series7/hardened.pp b/manifests/series7/hardened.pp

index 73cf21a9a15aa9f488b9ed6731d195e2b0448e62..d949470b5d7ccfdeffa01aa4d4011026f804d522 100644 (file)
--- a/manifests/series7/hardened.pp
+++ b/manifests/series7/hardened.pp
@@ -1,8 +1,19 @@
  class php::series7::hardened {
+  $fpm               = $::php::fpm
+  $disable_functions = 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, show_source, dl, symlink, system_exec'
+  # $disable_functions = 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, curl_init, parse_ini_file, show_source, dl, symlink, syslog, mail, system_exec'
+
    php::config {
      'allow_url_fopen'   : series => '7', value => 'Off';
      'allow_url_include' : series => '7', value => 'Off';
-    'disable_functions' : series => '7', value => 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, show_source, dl, symlink, system_exec';
-    #series => '7', value => 'disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, curl_init, parse_ini_file, show_source, dl, symlink, syslog, mail, system_exec',
+    'disable_functions' : series => '7', value => $disable_functions;
+  }
+
+  if $fpm == 'present' {
+    php::config {
+      'allow_url_fopen'   : series => '7', sapi => 'fpm', value => 'Off';
+      'allow_url_include' : series => '7', sapi => 'fpm', value => 'Off';
+      'disable_functions' : series => '7', sapi => 'fpm', value => $disable_functions;
+    }
    }
  }
author	Silvio Rhatto <rhatto@riseup.net>
	Thu, 12 Apr 2018 15:42:10 +0000 (12:42 -0300)
committer	Silvio Rhatto <rhatto@riseup.net>
	Thu, 12 Apr 2018 15:42:10 +0000 (12:42 -0300)