FS#64717 : [php-fpm][postfixadmin] PHP 7.4 upgrade breaks postfixadmin

FS#64717 - [php-fpm][postfixadmin] PHP 7.4 upgrade breaks postfixadmin

Attached to Project: Community Packages
Opened by Ouack Ouack (B3l3tte) - Tuesday, 03 December 2019, 14:58 GMT
Last edited by David Runge (dvzrv) - Sunday, 13 September 2020, 20:01 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Pierre Schmitz (Pierre) David Runge (dvzrv)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 rainer (raneon) (2019-12-04)
Private	No

Details

Description:
Starting php-fpm.service with PostfixAdmin installed throws an error message :
Dec 03 11:23:15 computer systemd[1]: Starting The PHP FastCGI Process Manager...
Dec 03 11:23:16 computer php-fpm[1037]: [ERROR] unable to bind listening socket for address '/run/postfixadmin/postfixadmin.sock': Permission denied (13)
Dec 03 11:23:16 computer php-fpm[1037]: [ERROR] FPM initialization failed
Dec 03 11:23:16 computer php-fpm[1037]: [ERROR] unable to bind listening socket for address '/run/postfixadmin/postfixadmin.sock': Permission denied (13)
Dec 03 11:23:16 computer php-fpm[1037]: [ERROR] FPM initialization failed
Dec 03 11:23:16 computer systemd[1]: php-fpm.service: Main process exited, code=exited, status=78/CONFIG
Dec 03 11:23:16 computer systemd[1]: php-fpm.service: Failed with result 'exit-code'.
Dec 03 11:23:16 computer systemd[1]: Failed to start The PHP FastCGI Process Manager.

Additional info:
* PHP, PHP-FPM, PHP-IMAP 7.4.0-2
* PostfixAdmin 3.2.3-1
* Postfix 3.4.8-1
* MariaDB 10.4.10-2

Steps to reproduce:
* Install all dependancies
* Follow the wiki to install PostfixAdmin (without the PHP7.4 fix that I wrote).

The PHP-FPM postfixadmin pool is not working properly and will prevent the php-fpm.service from starting with the given error log.

A workaround is to :
* Switch to ACL user / group management in the pool (see https://bugs.archlinux.org/task/64683)
* Edit the ACLs of the /run/postfixadmin directory.

/etc/php/php-fpm.d/postfixadmin.conf
[postfixadmin]
user = postfixadmin
group = postfixadmin
listen = /run/postfixadmin/postfixadmin.sock
listen.acl_users = http
listen.acl_groups = http
pm = ondemand
pm.max_children = 4

Append the following line to /usr/lib/tmpfiles.d/postfixadmin.conf :
a+ %t/postfixadmin - - - - group:root:rwx

I don't have the time to check the compatibility of this solution for PHP / PHP-IMAP / PHP-FPM version < 7.4 for now.

This task depends upon

Closed by David Runge (dvzrv)
Sunday, 13 September 2020, 20:01 GMT
Reason for closing: Not a bug
Additional comments about closing: If using the listen.owner and listen.group configuration setting for a php-fpm pool everything works.

ACLs are not required to be set, as php-fpm is started as root and then delegates privileges per pool according to configuration.

Comment by David Runge (dvzrv) - Friday, 17 January 2020, 01:34 GMT

Thanks for the report! Sorry for the long delay... we don't have bug wrangling.

I don't use php-fpm and am currently still on php 7.3 due to the issues with nextcloud.

I'll add pierre schmitz to the ticket, maybe he has an idea.

Comment by Ouack Ouack (B3l3tte) - Friday, 17 January 2020, 09:59 GMT

Ok no problem !

Really I think the package should be updated with the modifications that I mentioned : switch to ACL owner / group / rights management

The only thing to check, and that I haven't done sorry for that, is to ensure it's backward compatible with php < 7.4

Thanks for your answer :)

Comment by David Runge (dvzrv) - Friday, 24 January 2020, 21:50 GMT

@B3l3tte: I've upgraded my system (but still don't face the problem you're having).

I'm using uwsgi for containerizing of web applications. Similarly to php-fpm's service, I've hardened the service, but the socket is created by systemd:

```
[Unit]
Description=Socket for uWSGI %I

[Socket]
ListenStream=/run/%I/%I.sock
SocketGroup=http
SocketMode=0660

[Install]
WantedBy=sockets.target
```

Leading to:

```
lal /run/postfixadmin
total 0
drwxr-xr-x 2 postfixadmin postfixadmin 80 Jan 24 22:20 .
drwxr-xr-x 39 root root 960 Jan 24 21:16 ..
srw-rw---- 1 root http 0 Jan 24 21:15 postfixadmin.sock
```

I wonder whether something similar can be achieved for php-fpm (e.g. php-fpm.socket).

I'm currently asking myself how ACLs for group root can have any effect, if the access takes place with the http user/group.
In the current setup /run/postfixadmin already has mode 755 and is therefore world readible by default.

What are the permissions/owernships on the socket, that php-fpm creates in your example?

Comment by Ouack Ouack (B3l3tte) - Wednesday, 05 February 2020, 11:02 GMT

Hi !

$ getfacl /run/php-fpm/
# file: php-fpm/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

$ getfacl /run/php-fpm/php-fpm.sock
# file: php-fpm/php-fpm.sock
# owner: root
# group: root
user::rw-
user:http:rw-
group::rw-
group:http:rw-
mask::rw-
other::---

$ getfacl /run/postfixadmin/
# file: postfixadmin/
# owner: postfixadmin
# group: postfixadmin
user::rwx
group::r-x
group:root:rwx
mask::rwx
other::r-x

$ getfacl /run/postfixadmin/postfixadmin.sock
# file: postfixadmin/postfixadmin.sock
# owner: root
# group: root
user::rw-
user:http:rw-
group::rw-
group:http:rw-
mask::rw-
other::---

So my socket's group is root, because I don't use uWSGI, and therefore can't set the postfixadmin socket's group (no intermediate service is used, so it is impossible for me to set a "SocketGroup=http"). Or do you have an idea on how to do this ?
The ACL management allows the root:root created socket to be read/written by the http:http user.
I never succeeded in creating a postfixadmin socket other than root:root, hence the necessity on my end to use the ACL workaround.

Thanks for your time,
Peace

Comment by David Runge (dvzrv) - Sunday, 13 September 2020, 19:59 GMT

I have revisited this bug and can not reproduce it.

I have:

php > 7.4

```
# /etc/php/php-fpm.d/postfixadmin.conf
[postfixadmin]
user = postfixadmin
group = postfixadmin
listen = /run/postfixadmin/postfixadmin.sock
listen.owner = root
listen.group = http
listen.mode = 0660
pm = ondemand
pm.max_children = 4

php_admin_value['date.timezone'] = Europe/Berlin
php_admin_value['session.save_path'] = /tmp
php_admin_value['open_basedir'] = /tmp/:/usr/share/webapps/postfixadmin/:/etc/webapps/postfixadmin/:/usr/bin/doveadm:/var/cache/postfixadmin
```

and use it via nginx:

```
# /etc/nginx/postfixadmin.conf
[..]

location ~ ^(.+\.php)(.*)$ {
include fastcgi.conf;
fastcgi_pass unix:/run/postfixadmin/postfixadmin.sock;
fastcgi_index index.php;
}

[..]
```

This gives me:

```
$ ls -lah /run/postfixadmin
total 0
drwxr-xr-x 2 postfixadmin postfixadmin 60 Sep 13 21:53 .
drwxr-xr-x 43 root root 1.1K Sep 13 21:21 ..
srw-rw---- 1 root http 0 Sep 13 21:53 postfixadmin.sock
```

and

```
$ getfacl /run/postfixadmin/postfixadmin.sock
getfacl: Removing leading '/' from absolute path names
# file: run/postfixadmin/postfixadmin.sock
# owner: root
# group: http
user::rw-
group::rw-
other::---
```

No ACLs are required at all, as php-fpm offers all required settings with the `listen.owner` and `listen.group` (**not** `listen.acl_users` and `listen.acl_groups`!) setting already.

The only thing I could not figure out is how to dynamically load extensions in a php-fpm configuration file, but that's beside the point.

I will close this issue and also remove the false information from the wiki article.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#64717 - [php-fpm][postfixadmin] PHP 7.4 upgrade breaks postfixadmin

Details

Loading...