Permissions mismatch between php-fpm sockets and web user

[sporkman]

I'm a bit stumped on something here with the php-fpm setup...  I'm seeing my virthosts not able to serve content because when apache connects to the php-fpm socket, it gets a "permission denied" error. The error does make sense - the web server runs as user "www" (whether in pre-fork or worker mpm modes), and there are no suexec overrides (not sure that's even available in worker mpm?) in the individual virtual host entries. And in the per-user php-fpm configs, the permissions are clearly set to the user/group of the the owner, and the mask is 0660 - meaning ONLY the owner of the site has access to those sockets.  This does not seem like it should work - is something different supposed to be happening here?  Should the www group be the group owner of the sockets? If I manually override that by doing a recursive "chgrp www" in the php-fpm socket directory, all is well. If I manually override the php-fpm config to make www the group owner all is well.

What am I missing?  I know I can just hack around this by modifying the code that generates the php-fpm config, but that feels wrong...

Vhost config example:

[root@panel /usr/local/etc/apache24]# cat sites-enabled/35_froxlor_normal_vhost_web1.example.com.conf
# 35_froxlor_normal_vhost_web1.example.com.conf
# Created 31.03.2019 00:59
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.

# Domain ID: 2 - CustomerID: 1 - CustomerLogin: tester1
<VirtualHost 10.3.2.207:80>
  ServerName web1.example.com
  ServerAdmin css-test1@example.com
  DocumentRoot "/var/customers/webs/tester1/web1/"
  <FilesMatch \.(php)$>
  SetHandler proxy:unix:/var/run/apache2/fastcgi/1-tester1-web1.example.com-php-fpm.socket|fcgi://localhost
  </FilesMatch>
  <Directory "/var/customers/webs/tester1/web1/">
    Require all granted
    AllowOverride All
  </Directory>
  Alias /webalizer "/var/customers/webs/tester1/webalizer/web1.example.com"
  ErrorLog "/var/customers/logs/tester1-web1.example.com-error.log"
  CustomLog "/var/customers/logs/tester1-web1.example.com-access.log" combined
</VirtualHost>
[root@panel /usr/local/etc/apache24]#

PHP-FPM config example:

[root@panel /usr/local/etc/apache24]# cat ../php-fpm.d/web1.example.com.conf
;PHP-FPM configuration for "web1.example.com" created on 2019.03.31 00:59:12
[web1.example.com]
listen = /var/run/apache2/fastcgi/1-tester1-web1.example.com-php-fpm.socket
listen.owner = tester1
listen.group = tester1
listen.mode = 0660
user = tester1
group = tester1
pm = dynamic
pm.max_children = 1
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
pm.max_requests = 0
;chroot = /var/customers/webs/tester1/web1/
security.limit_extensions = .php
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /var/customers/tmp/tester1/
env[TMPDIR] = /var/customers/tmp/tester1/
env[TEMP] = /var/customers/tmp/tester1/
php_admin_value[session.save_path] = /var/customers/tmp/tester1/
php_admin_value[upload_tmp_dir] = /var/customers/tmp/tester1/


php_admin_flag[allow_call_time_pass_reference] = Off
php_admin_flag[allow_url_fopen] = Off
[... snip tons of php flags ...]
php_admin_value[open_basedir] = "/var/customers/webs/tester1/web1:/var/customers/tmp/tester1:/usr/local/share/php:/usr/share/php5:/tmp"
php_admin_value[output_buffering] = 4096
[...]
php_admin_value[opcache.restrict_api] = "/var/customers/webs/tester1/web1/"
[root@panel /usr/local/etc/apache24]#

Oh, maybe you don't want to just trust me, so some logs showing the permissions issue:

[Sat Mar 30 20:26:49.653555 2019] [authz_core:debug] [pid 81616:tid 34494210816] mod_authz_core.c(817): [client 10.3.2.40:540
52] AH01626: authorization result of Require all granted: granted
[Sat Mar 30 20:26:49.653688 2019] [authz_core:debug] [pid 81616:tid 34494210816] mod_authz_core.c(817): [client 10.3.2.40:540
52] AH01626: authorization result of <RequireAny>: granted
[Sat Mar 30 20:26:49.653742 2019] [authz_core:debug] [pid 81616:tid 34494210816] mod_authz_core.c(817): [client 10.3.2.40:540
52] AH01626: authorization result of Require all granted: granted
[Sat Mar 30 20:26:49.653747 2019] [authz_core:debug] [pid 81616:tid 34494210816] mod_authz_core.c(817): [client 10.3.2.40:540
52] AH01626: authorization result of <RequireAny>: granted
[Sat Mar 30 20:26:49.653760 2019] [proxy:debug] [pid 81616:tid 34494210816] mod_proxy.c(1246): [client 10.3.2.40:54052] AH011
43: Running scheme unix handler (attempt 0)
[Sat Mar 30 20:26:49.653765 2019] [proxy_fcgi:debug] [pid 81616:tid 34494210816] mod_proxy_fcgi.c(1019): [client 10.3.2.40:54
052] AH01076: url: fcgi://localhost/var/customers/webs/tester1/web1/index.php proxyname: (null) proxyport: 0
[Sat Mar 30 20:26:49.653769 2019] [proxy_fcgi:debug] [pid 81616:tid 34494210816] mod_proxy_fcgi.c(1028): [client 10.3.2.40:54
052] AH01078: serving URL fcgi://localhost/var/customers/webs/tester1/web1/index.php
[Sat Mar 30 20:26:49.653778 2019] [proxy:debug] [pid 81616:tid 34494210816] proxy_util.c(2317): AH00942: FCGI: has acquired c
onnection for (*)
[Sat Mar 30 20:26:49.653783 2019] [proxy:debug] [pid 81616:tid 34494210816] proxy_util.c(2371): [client 10.3.2.40:54052] AH00
944: connecting fcgi://localhost/var/customers/webs/tester1/web1/index.php to localhost:8000
[Sat Mar 30 20:26:49.653805 2019] [proxy:debug] [pid 81616:tid 34494210816] proxy_util.c(2407): [client 10.3.2.40:54052] AH02
545: fcgi: has determined UDS as /var/run/apache2/fastcgi/1-tester1-web1.morefoo.com-php-fpm.socket
[Sat Mar 30 20:26:49.653833 2019] [proxy:debug] [pid 81616:tid 34494210816] proxy_util.c(2580): [client 10.3.2.40:54052] AH00947: connected /var/customers/webs/tester1/web1/index.php to httpd-UDS:0
[Sat Mar 30 20:26:49.653852 2019] [proxy:error] [pid 81616:tid 34494210816] (13)Permission denied: AH02454: FCGI: attempt to connect to Unix domain socket /var/run/apache2/fastcgi/1-tester1-web1.morefoo.com-php-fpm.socket (*) failed
[Sat Mar 30 20:26:49.653897 2019] [proxy_fcgi:error] [pid 81616:tid 34494210816] [client 10.3.2.40:54052] AH01079: failed to make connection to backend: httpd-UDS
[Sat Mar 30 20:26:49.653900 2019] [proxy:debug] [pid 81616:tid 34494210816] proxy_util.c(2332): AH00943: FCGI: has released c
onnection for (*)

 

[d00p]

Well did you specify "www" as the webserver user in froxlor settings? default is www-data. Froxlor puts the webserver user as member to the customer groups and it works just fine

[sporkman]

Yep. "www" is who the user runs as. As best I can tell it's not part of the user groups though. libnss-mysql seems to be working fine. 'bgreen' and 'css' are both "virtual" users. The "ls" shows that the ids (10000 and 10001) are being mapped properly by libnss-mysql. "css" group mapping seems fine.

[root@nj2 /var/customers/webs]# ls -la
total 32
drwxr-xr-x  4 root    wheel   512 Apr  1 20:05 .
drwxr-xr-x  6 root    wheel   512 Apr  1 03:15 ..
drwxr-xr-x  4 bgreen  bgreen  512 Apr  1 20:05 bgreen
drwxr-xr-x  4 css     css     512 Apr  1 06:10 css
[root@nj2 /var/customers/webs]# id www
uid=80(www) gid=80(www) groups=80(www),9999(froxlorlocal)
[root@nj2 /var/customers/webs]# groups www
www froxlorlocal
[root@nj2 /var/customers/webs]# id css
uid=10000(css) gid=10000(css) groups=10000(css)
[root@nj2 /var/customers/webs]# groups css
css
[root@nj2 /var/customers/webs]#

Process ownership all seems fine and you can see uid->uname mapping:

[root@nj2 /var/customers/webs]# ps auxw|grep http
root         17913  0.0  0.5  19460   9380  -  Ss   22:38      0:04.90 /usr/local/sbin/httpd -DNOHTTPACCEPT
www          17914  0.0  0.6  29104  13312  -  I    22:38      0:00.76 /usr/local/sbin/httpd -DNOHTTPACCEPT
www          17915  0.0  0.6  29104  13212  -  I    22:38      0:00.74 /usr/local/sbin/httpd -DNOHTTPACCEPT
www          17916  0.0  0.6  27056  12848  -  I    22:38      0:00.65 /usr/local/sbin/httpd -DNOHTTPACCEPT
www          17918  0.0  0.7  29104  13504  -  I    22:38      0:00.75 /usr/local/sbin/httpd -DNOHTTPACCEPT
root         25473  0.0  0.1   6660   2548  1  S+   20:13      0:00.00 grep http
[root@nj2 /var/customers/webs]# ps auxww|grep fpm
root         17886   0.0  0.8 166652  17216  -  Ss   22:38      0:06.10 php-fpm: master process (/usr/local/etc/php-fpm.conf) (php-fpm)
froxlorlocal 17890   0.0  1.9 169040  38388  -  I    22:38      0:01.68 php-fpm: pool nj2.example.com (php-fpm)
froxlorlocal 17891   0.0  0.8 166604  17236  -  I    22:38      0:00.00 php-fpm: pool nj2.example.com (php-fpm)
css          17892   0.0  0.8 166624  17404  -  I    22:38      0:00.02 php-fpm: pool example.us (php-fpm)
css          17893   0.0  0.8 166624  17236  -  I    22:38      0:00.00 php-fpm: pool example.us (php-fpm)
css          17894   0.0  0.8 166624  17236  -  I    22:38      0:00.00 php-fpm: pool example.us (php-fpm)
bgreen       24214   0.0  2.3 171364  47808  -  I    14:56      0:00.44 php-fpm: pool example.org (php-fpm)
bgreen       24215   0.0  2.3 171236  46840  -  I    14:56      0:00.69 php-fpm: pool example.org (php-fpm)
bgreen       24216   0.0  2.0 168804  40904  -  I    14:56      0:00.22 php-fpm: pool example.org (php-fpm)
root         25481   0.0  0.0    408    324  1  R+   20:13      0:00.00 grep fpm
[root@nj2 /var/customers/webs]#

For now, I just altered the code to put php-fpm's group socket ownership to the web user's group.  When I have the time I'll dig for the config variable for the www group instead of hard-coding. I'll just keep this on my little local changes list.

                        if ($this->_domain['loginname'] == 'froxlor.panel') {
                                $fpm_config .= 'listen.owner = ' . $this->_domain['guid'] . "\n";
                                //$fpm_config .= 'listen.group = ' . $this->_domain['guid'] . "\n";
                                $fpm_config .= 'listen.group = www' . "\n";
                        } else {
                                $fpm_config .= 'listen.owner = ' . $this->_domain['loginname'] . "\n";
                                //$fpm_config .= 'listen.group = ' . $this->_domain['loginname'] . "\n";
                                $fpm_config .= 'listen.group = www' . "\n";
                        }
                        // see #1418 why this is 0660
                        $fpm_config .= 'listen.mode = 0660' . "\n";

                        if ($this->_domain['loginname'] == 'froxlor.panel') {
                                $fpm_config .= 'user = ' . $this->_domain['guid'] . "\n";
                                //$fpm_config .= 'group = ' . $this->_domain['guid'] . "\n";
                                $fpm_config .= 'listen.group = www' . "\n";
                        } else {
                                $fpm_config .= 'user = ' . $this->_domain['loginname'] . "\n";
                                //$fpm_config .= 'group = ' . $this->_domain['loginname'] . "\n";
                                $fpm_config .= 'listen.group = www' . "\n";
                        }

 

[d00p]

well, if you have libnss-mysql/libnss-extrausers setup correctly this should work just fine , froxlor puts the webserver user in the customer groups