Jump to content
Froxlor Forum
  • 0
sporkman

Permissions mismatch between php-fpm sockets and web user

Question

I'm a bit stumped on something here with the php-fpm setup...  I'm seeing my virthosts not able to serve content because when apache connects to the php-fpm socket, it gets a "permission denied" error. The error does make sense - the web server runs as user "www" (whether in pre-fork or worker mpm modes), and there are no suexec overrides (not sure that's even available in worker mpm?) in the individual virtual host entries. And in the per-user php-fpm configs, the permissions are clearly set to the user/group of the the owner, and the mask is 0660 - meaning ONLY the owner of the site has access to those sockets.  This does not seem like it should work - is something different supposed to be happening here?  Should the www group be the group owner of the sockets? If I manually override that by doing a recursive "chgrp www" in the php-fpm socket directory, all is well. If I manually override the php-fpm config to make www the group owner all is well.

What am I missing?  I know I can just hack around this by modifying the code that generates the php-fpm config, but that feels wrong... :)

Vhost config example:

[root@panel /usr/local/etc/apache24]# cat sites-enabled/35_froxlor_normal_vhost_web1.example.com.conf
# 35_froxlor_normal_vhost_web1.example.com.conf
# Created 31.03.2019 00:59
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

# Domain ID: 2 - CustomerID: 1 - CustomerLogin: tester1
<VirtualHost 10.3.2.207:80>
  ServerName web1.example.com
  ServerAdmin css-test1@example.com
  DocumentRoot "/var/customers/webs/tester1/web1/"
  <FilesMatch \.(php)$>
  SetHandler proxy:unix:/var/run/apache2/fastcgi/1-tester1-web1.example.com-php-fpm.socket|fcgi://localhost
  </FilesMatch>
  <Directory "/var/customers/webs/tester1/web1/">
    Require all granted
    AllowOverride All
  </Directory>
  Alias /webalizer "/var/customers/webs/tester1/webalizer/web1.example.com"
  ErrorLog "/var/customers/logs/tester1-web1.example.com-error.log"
  CustomLog "/var/customers/logs/tester1-web1.example.com-access.log" combined
</VirtualHost>
[root@panel /usr/local/etc/apache24]#

PHP-FPM config example:

[root@panel /usr/local/etc/apache24]# cat ../php-fpm.d/web1.example.com.conf
;PHP-FPM configuration for "web1.example.com" created on 2019.03.31 00:59:12
[web1.example.com]
listen = /var/run/apache2/fastcgi/1-tester1-web1.example.com-php-fpm.socket
listen.owner = tester1
listen.group = tester1
listen.mode = 0660
user = tester1
group = tester1
pm = dynamic
pm.max_children = 1
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
pm.max_requests = 0
;chroot = /var/customers/webs/tester1/web1/
security.limit_extensions = .php
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /var/customers/tmp/tester1/
env[TMPDIR] = /var/customers/tmp/tester1/
env[TEMP] = /var/customers/tmp/tester1/
php_admin_value[session.save_path] = /var/customers/tmp/tester1/
php_admin_value[upload_tmp_dir] = /var/customers/tmp/tester1/


php_admin_flag[allow_call_time_pass_reference] = Off
php_admin_flag[allow_url_fopen] = Off
[... snip tons of php flags ...]
php_admin_value[open_basedir] = "/var/customers/webs/tester1/web1:/var/customers/tmp/tester1:/usr/local/share/php:/usr/share/php5:/tmp"
php_admin_value[output_buffering] = 4096
[...]
php_admin_value[opcache.restrict_api] = "/var/customers/webs/tester1/web1/"
[root@panel /usr/local/etc/apache24]#

Oh, maybe you don't want to just trust me, so some logs showing the permissions issue:

[Sat Mar 30 20:26:49.653555 2019] [authz_core:debug] [pid 81616:tid 34494210816] mod_authz_core.c(817): [client 10.3.2.40:540
52] AH01626: authorization result of Require all granted: granted
[Sat Mar 30 20:26:49.653688 2019] [authz_core:debug] [pid 81616:tid 34494210816] mod_authz_core.c(817): [client 10.3.2.40:540
52] AH01626: authorization result of <RequireAny>: granted
[Sat Mar 30 20:26:49.653742 2019] [authz_core:debug] [pid 81616:tid 34494210816] mod_authz_core.c(817): [client 10.3.2.40:540
52] AH01626: authorization result of Require all granted: granted
[Sat Mar 30 20:26:49.653747 2019] [authz_core:debug] [pid 81616:tid 34494210816] mod_authz_core.c(817): [client 10.3.2.40:540
52] AH01626: authorization result of <RequireAny>: granted
[Sat Mar 30 20:26:49.653760 2019] [proxy:debug] [pid 81616:tid 34494210816] mod_proxy.c(1246): [client 10.3.2.40:54052] AH011
43: Running scheme unix handler (attempt 0)
[Sat Mar 30 20:26:49.653765 2019] [proxy_fcgi:debug] [pid 81616:tid 34494210816] mod_proxy_fcgi.c(1019): [client 10.3.2.40:54
052] AH01076: url: fcgi://localhost/var/customers/webs/tester1/web1/index.php proxyname: (null) proxyport: 0
[Sat Mar 30 20:26:49.653769 2019] [proxy_fcgi:debug] [pid 81616:tid 34494210816] mod_proxy_fcgi.c(1028): [client 10.3.2.40:54
052] AH01078: serving URL fcgi://localhost/var/customers/webs/tester1/web1/index.php
[Sat Mar 30 20:26:49.653778 2019] [proxy:debug] [pid 81616:tid 34494210816] proxy_util.c(2317): AH00942: FCGI: has acquired c
onnection for (*)
[Sat Mar 30 20:26:49.653783 2019] [proxy:debug] [pid 81616:tid 34494210816] proxy_util.c(2371): [client 10.3.2.40:54052] AH00
944: connecting fcgi://localhost/var/customers/webs/tester1/web1/index.php to localhost:8000
[Sat Mar 30 20:26:49.653805 2019] [proxy:debug] [pid 81616:tid 34494210816] proxy_util.c(2407): [client 10.3.2.40:54052] AH02
545: fcgi: has determined UDS as /var/run/apache2/fastcgi/1-tester1-web1.morefoo.com-php-fpm.socket
[Sat Mar 30 20:26:49.653833 2019] [proxy:debug] [pid 81616:tid 34494210816] proxy_util.c(2580): [client 10.3.2.40:54052] AH00947: connected /var/customers/webs/tester1/web1/index.php to httpd-UDS:0
[Sat Mar 30 20:26:49.653852 2019] [proxy:error] [pid 81616:tid 34494210816] (13)Permission denied: AH02454: FCGI: attempt to connect to Unix domain socket /var/run/apache2/fastcgi/1-tester1-web1.morefoo.com-php-fpm.socket (*) failed
[Sat Mar 30 20:26:49.653897 2019] [proxy_fcgi:error] [pid 81616:tid 34494210816] [client 10.3.2.40:54052] AH01079: failed to make connection to backend: httpd-UDS
[Sat Mar 30 20:26:49.653900 2019] [proxy:debug] [pid 81616:tid 34494210816] proxy_util.c(2332): AH00943: FCGI: has released c
onnection for (*)

 

Edited by sporkman
add logs

Share this post


Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0

Well did you specify "www" as the webserver user in froxlor settings? default is www-data. Froxlor puts the webserver user as member to the customer groups and it works just fine

Share this post


Link to post
Share on other sites
  • 0

Yep. "www" is who the user runs as. As best I can tell it's not part of the user groups though. libnss-mysql seems to be working fine. 'bgreen' and 'css' are both "virtual" users. The "ls" shows that the ids (10000 and 10001) are being mapped properly by libnss-mysql. "css" group mapping seems fine.

[root@nj2 /var/customers/webs]# ls -la
total 32
drwxr-xr-x  4 root    wheel   512 Apr  1 20:05 .
drwxr-xr-x  6 root    wheel   512 Apr  1 03:15 ..
drwxr-xr-x  4 bgreen  bgreen  512 Apr  1 20:05 bgreen
drwxr-xr-x  4 css     css     512 Apr  1 06:10 css
[root@nj2 /var/customers/webs]# id www
uid=80(www) gid=80(www) groups=80(www),9999(froxlorlocal)
[root@nj2 /var/customers/webs]# groups www
www froxlorlocal
[root@nj2 /var/customers/webs]# id css
uid=10000(css) gid=10000(css) groups=10000(css)
[root@nj2 /var/customers/webs]# groups css
css
[root@nj2 /var/customers/webs]#

Process ownership all seems fine and you can see uid->uname mapping:

[root@nj2 /var/customers/webs]# ps auxw|grep http
root         17913  0.0  0.5  19460   9380  -  Ss   22:38      0:04.90 /usr/local/sbin/httpd -DNOHTTPACCEPT
www          17914  0.0  0.6  29104  13312  -  I    22:38      0:00.76 /usr/local/sbin/httpd -DNOHTTPACCEPT
www          17915  0.0  0.6  29104  13212  -  I    22:38      0:00.74 /usr/local/sbin/httpd -DNOHTTPACCEPT
www          17916  0.0  0.6  27056  12848  -  I    22:38      0:00.65 /usr/local/sbin/httpd -DNOHTTPACCEPT
www          17918  0.0  0.7  29104  13504  -  I    22:38      0:00.75 /usr/local/sbin/httpd -DNOHTTPACCEPT
root         25473  0.0  0.1   6660   2548  1  S+   20:13      0:00.00 grep http
[root@nj2 /var/customers/webs]# ps auxww|grep fpm
root         17886   0.0  0.8 166652  17216  -  Ss   22:38      0:06.10 php-fpm: master process (/usr/local/etc/php-fpm.conf) (php-fpm)
froxlorlocal 17890   0.0  1.9 169040  38388  -  I    22:38      0:01.68 php-fpm: pool nj2.example.com (php-fpm)
froxlorlocal 17891   0.0  0.8 166604  17236  -  I    22:38      0:00.00 php-fpm: pool nj2.example.com (php-fpm)
css          17892   0.0  0.8 166624  17404  -  I    22:38      0:00.02 php-fpm: pool example.us (php-fpm)
css          17893   0.0  0.8 166624  17236  -  I    22:38      0:00.00 php-fpm: pool example.us (php-fpm)
css          17894   0.0  0.8 166624  17236  -  I    22:38      0:00.00 php-fpm: pool example.us (php-fpm)
bgreen       24214   0.0  2.3 171364  47808  -  I    14:56      0:00.44 php-fpm: pool example.org (php-fpm)
bgreen       24215   0.0  2.3 171236  46840  -  I    14:56      0:00.69 php-fpm: pool example.org (php-fpm)
bgreen       24216   0.0  2.0 168804  40904  -  I    14:56      0:00.22 php-fpm: pool example.org (php-fpm)
root         25481   0.0  0.0    408    324  1  R+   20:13      0:00.00 grep fpm
[root@nj2 /var/customers/webs]#

For now, I just altered the code to put php-fpm's group socket ownership to the web user's group.  When I have the time I'll dig for the config variable for the www group instead of hard-coding. I'll just keep this on my little local changes list. :)

                        if ($this->_domain['loginname'] == 'froxlor.panel') {
                                $fpm_config .= 'listen.owner = ' . $this->_domain['guid'] . "\n";
                                //$fpm_config .= 'listen.group = ' . $this->_domain['guid'] . "\n";
                                $fpm_config .= 'listen.group = www' . "\n";
                        } else {
                                $fpm_config .= 'listen.owner = ' . $this->_domain['loginname'] . "\n";
                                //$fpm_config .= 'listen.group = ' . $this->_domain['loginname'] . "\n";
                                $fpm_config .= 'listen.group = www' . "\n";
                        }
                        // see #1418 why this is 0660
                        $fpm_config .= 'listen.mode = 0660' . "\n";

                        if ($this->_domain['loginname'] == 'froxlor.panel') {
                                $fpm_config .= 'user = ' . $this->_domain['guid'] . "\n";
                                //$fpm_config .= 'group = ' . $this->_domain['guid'] . "\n";
                                $fpm_config .= 'listen.group = www' . "\n";
                        } else {
                                $fpm_config .= 'user = ' . $this->_domain['loginname'] . "\n";
                                //$fpm_config .= 'group = ' . $this->_domain['loginname'] . "\n";
                                $fpm_config .= 'listen.group = www' . "\n";
                        }

 

Share this post


Link to post
Share on other sites
  • 0

well, if you have libnss-mysql/libnss-extrausers setup correctly this should work just fine , froxlor puts the webserver user in the customer groups

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...





×
×
  • Create New...