FS#64851 - [php-fpm] does not start because of missing permissions of unix socket

Attached to Project: Community Packages
Opened by Fabian Franz (fabianfrz) - Sunday, 15 December 2019, 20:11 GMT
Last edited by Pierre Schmitz (Pierre) - Wednesday, 18 December 2019, 19:28 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

PHP cannot change the owner of its socket and fails to start because of this.

Possible Fix:
/usr/lib/systemd/system/php-fpm.service
-CapabilityBoundingSet=CAP_SETGID CAP_SETUID
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_CHOWN


Additional info:
* package version(s)

Name : php-fpm
Version : 7.4.0-2
Description : FastCGI Process Manager for PHP
Architecture : x86_64
URL : https://secure.php.net/
Licenses : PHP
Groups : None
Provides : None
Depends On : php systemd
Optional Deps : None
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 16,07 MiB
Packager : Pierre Schmitz <pierre@archlinux.de>
Build Date : Sa 30 Nov 2019 10:43:49 UTC
Install Date : So 15 Dez 2019 19:45:08 UTC
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature

* config and/or log files etc.

# relevant part of php config
listen = /run/php-fpm/php-fpm.sock
listen.owner = http
listen.group = http

Steps to reproduce:
Update php-fpm to latest releast and start it up and it fails if you configured an unix socket with owner user and group.
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Wednesday, 18 December 2019, 19:28 GMT
Reason for closing:  Fixed
Comment by loqs (loqs) - Sunday, 15 December 2019, 20:24 GMT
See  FS#64781 
Comment by Fabian Franz (fabianfrz) - Sunday, 15 December 2019, 21:49 GMT
Journal:

Dez 15 20:00:03 container systemd[1]: Failed to start The PHP FastCGI Process Manager.
Dez 15 20:00:03 container systemd[1]: php-fpm.service: Failed with result 'exit-code'.
Dez 15 20:00:03 container systemd[1]: php-fpm.service: Main process exited, code=exited, status=78/CONFIG
Dez 15 20:00:03 container php-fpm[1110]: [ERROR] FPM initialization failed
Dez 15 20:00:03 container php-fpm[1110]: [ERROR] [pool www] failed to chown() the socket '/run/php-fpm/php-fpm.sock': Operation not permitted (1)
Dez 15 20:00:03 container php-fpm[1110]: [ERROR] FPM initialization failed
Dez 15 20:00:03 container php-fpm[1110]: [ERROR] [pool www] failed to chown() the socket '/run/php-fpm/php-fpm.sock': Operation not permitted (1)
Dez 15 20:00:03 container systemd[1]: Starting The PHP FastCGI Process Manager...
Comment by Fabian Franz (fabianfrz) - Sunday, 15 December 2019, 21:55 GMT
@loqs: what should I to with that?

In upstream the capabilities are not included anymore:
https://github.com/php/php-src/blob/master/sapi/fpm/php-fpm.service.in
Comment by loqs (loqs) - Sunday, 15 December 2019, 22:03 GMT
@fabianfrz yes that is the point Pierre Schmitz noted. In the next upstream release the issue will be fixed as there will be no capability restrictions.
Comment by Eli Schwartz (eschwartz) - Monday, 16 December 2019, 00:51 GMT
  • Field changed: Summary (PHP-FPM does not start because of missing permissions of unix socket → [php-fpm] does not start because of missing permissions of unix socket)
  • Field changed: Status (Unconfirmed → Assigned)
  • Task assigned to Pierre Schmitz (Pierre)
This broke the AUR when we tried upgrading luna, we're now running with a tweaked /etc/systemd/system/php-fpm.service with these changes applied: https://github.com/php/php-src/commit/67cd4271e922ee3082b416a7563598274d13a1e5#diff-c0605c0e7e1db864472acf66a9812d33

IMHO we should backport this to the official package... https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/php&id=c4c2a570a0dcdba8f9cd910817d641a74c99a345 does not seem to be sufficient.

Loading...