FS#64734 - [php-fpm] hardening breaks more default installations

Attached to Project: Arch Linux
Opened by Thomas Schneider (BlackLotus) - Wednesday, 04 December 2019, 16:59 GMT
Last edited by Pierre Schmitz (Pierre) - Wednesday, 18 December 2019, 14:10 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


ProtectSystem=full is now set which breaks installations like roundcube which per default install to /usr/share/webapps/
This lets the process only access /usr in ro mode and if you setup roundcube with sqlite your database most likely resides under /usr as well.

Additional info:
php-fpm 7.4.0-2

Steps to reproduce:
1) Install some php application that uses sqlite and stores its database under /usr.
2) upgrade php-fpm
3) wonder for a 5minutes why it can't write to the database anymore and open a bug report after realizing that not the ACLs but systemd units are at fault
4) discuss if this needs to be solved in php-fpm or roundcube or somewhere else
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Wednesday, 18 December 2019, 14:10 GMT
Reason for closing:  Not a bug
Additional comments about closing:  Apps should not write into /usr
Comment by Jan de Groot (JGC) - Thursday, 05 December 2019, 08:35 GMT
Applications should not install databases in /usr but in /var instead. This is not a PHP bug but a bug in the application that breaks.
Comment by Christian (krist) - Thursday, 05 December 2019, 11:12 GMT
May I add that the current RestrictAddressFamilies & NoNewPrivileges settings from upstream do break mail handlers of some PHP applications?

I needed to add this to my overrides to make WordPress' wp_mail() work again:


Without AF_NETLINK, I'd get "postfix/sendmail[<pid>]: fatal: inet_addr_local[getifaddrs]: getifaddrs: Address family not supported by protocol" errors.

And with `NoNewPrivileges` enabled, the php-fpm worker would get stuck throwing "postfix/postdrop[<pid>]: warning: mail_queue_enter: create file maildrop/<x>.<y>: Permission denied" over and over.