FS#64734 - [php-fpm] hardening breaks more default installations
Attached to Project:
Arch Linux
Opened by Thomas Schneider (BlackLotus) - Wednesday, 04 December 2019, 16:59 GMT
Last edited by Pierre Schmitz (Pierre) - Wednesday, 18 December 2019, 14:10 GMT
Opened by Thomas Schneider (BlackLotus) - Wednesday, 04 December 2019, 16:59 GMT
Last edited by Pierre Schmitz (Pierre) - Wednesday, 18 December 2019, 14:10 GMT
|
Details
Description:
ProtectSystem=full is now set which breaks installations like roundcube which per default install to /usr/share/webapps/ This lets the process only access /usr in ro mode and if you setup roundcube with sqlite your database most likely resides under /usr as well. Additional info: php-fpm 7.4.0-2 Steps to reproduce: 1) Install some php application that uses sqlite and stores its database under /usr. 2) upgrade php-fpm 3) wonder for a 5minutes why it can't write to the database anymore and open a bug report after realizing that not the ACLs but systemd units are at fault 4) discuss if this needs to be solved in php-fpm or roundcube or somewhere else |
This task depends upon
Closed by Pierre Schmitz (Pierre)
Wednesday, 18 December 2019, 14:10 GMT
Reason for closing: Not a bug
Additional comments about closing: Apps should not write into /usr
Wednesday, 18 December 2019, 14:10 GMT
Reason for closing: Not a bug
Additional comments about closing: Apps should not write into /usr
I needed to add this to my overrides to make WordPress' wp_mail() work again:
[Service]
NoNewPrivileges=false
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
Without AF_NETLINK, I'd get "postfix/sendmail[<pid>]: fatal: inet_addr_local[getifaddrs]: getifaddrs: Address family not supported by protocol" errors.
And with `NoNewPrivileges` enabled, the php-fpm worker would get stuck throwing "postfix/postdrop[<pid>]: warning: mail_queue_enter: create file maildrop/<x>.<y>: Permission denied" over and over.