Jump to content

PHP-FRM cannot read env vars


Go to solution Solved by SoloLVL,

Recommended Posts

Problem: php-fpm unable to access env vars via getenv() func, meanwhile php-cli can

Circumstances:
-- php version 8.1.10
-- clear_env is set to no in /etc/php/8.1/fpm/pool.d/www.conf
-- vars are set, thus is it possible to see them via shell env command or via php-cli with getenv()
-- using ubuntu22
-- php-fpm runs under user which has access to those env vars

Open to any thought, ready to provide more details

Link to comment
https://forums.phpfreaks.com/topic/317617-php-frm-cannot-read-env-vars/
Share on other sites

The FPM workers run in a clean environment via systemd.  Setting clear_env in the pool configuration doesn't change that. 

You will need to either set the variables as part of the service definition in systemd or through the web server so they get passed to the fpm process.  For example, if using apache add

SetEnv YOUR_VAR the_value

to your site configuration.

Or set them in your pool configuration explicity with

env[YOUR_VAR]=the_value

 

Edited by kicken

They need to go somewhere, unless you want to be manually entering them every time the system boots.  The config files can have their permissions set so only root is able read them.  If you're worried about someone else with root access reading the files, then your problem isn't "how to secure the environment variables?", it's "why does someone you don't trust have root access?".

The other common solution is to not make them true environment variables at all and put them in a .env file in your application directory.  Make that file readable only by the application's user and use something like symfony/dotenv to load it and access the variables using $_ENV.

I do a mix of both in my applications which are based on the Symfony framework.  I have SYMFONY_ENV=prod set as an environment variable in the server configuration to ensure it's running in production mode, then a .env.local file in the application directory that has all the secrets for the application.

 

I like your idea about putting them into config file during deployment, thanks!

Regarding .env file -- I use Laravel and obviously use that .env file for vars & secrets, but I use aws-php-sdk, which uses getenv() function to get aws creds from env vars of the pod. I also cache configs, so .env file no more readable after caching, that's why I am so worried about the fact I cannot access system level env vars.

But the most weird point is that other Laravel & Symfony apps of the friend of mine with the same configs have access to system lvl env vars.

Appreciate your time and help! 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.