Public bug reported: *** NOTE: This only affects Precise based on my testing. ***
A security change to make the FPM listener have permissions 0660 has introduced an issue in Precise with how the socket is created. While this was resolved in later versions as part of Bug #1334337 (including in Trusty), this bug remains in Precise. If a user changes the /etc/php5/fpm/pool.d/www.conf file's `listen` directive to `/var/run/php5-fpm.sock` (as an example), that socket file is created with owner and group of root:root. This means that the regression identified in Bug #1334337 still exists in Precise, even if this only affects customized configurations. When this happens, other web servers which run as www-data for their workers will be attempting to reach something that is owned by root:root, which (in nginx) will result in HTTP 502 Bad Gateway errors as "Permission Denied" errors. While the configuration file specifically states www-data as the user and group for the workers, the socket is still created as root:root. The solution to fix this is to uncomment the `listen.owner` and `listen.group` directives in the www.conf file that ships with the package. With those changes, the socket is created as www-data:www-data instead of root:root. I will attach a patch/debdiff later that may provide a resolution for this issue. ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: php5-fpm 5.3.10-1ubuntu3.13 Uname: Linux 2.6.32-042stab090.5 x86_64 ApportVersion: 2.0.1-0ubuntu17.6 Architecture: amd64 Date: Mon Aug 4 20:43:30 2014 MarkForUpload: True ProcEnviron: TERM=xterm PATH=(custom, no user) LANG=en_US.UTF-8 LC_MESSAGES=POSIX SHELL=/bin/bash SourcePackage: php5 UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: php5 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug precise ** Description changed: *** NOTE: This only affects Precise based on my testing. *** A security change to make the FPM listener have permissions 0660 has introduced an issue in Precise with how the socket is created. While this was resolved in later versions as part of Bug #1334337 (including in Trusty), this bug remains in Precise. If a user changes the /etc/php5/fpm/pool.d/www.conf file's `listen` directive to `/var/run/php5-fpm.sock` (as an example), that socket file is created with owner and group of root:root. This means that the regression identified in Bug #1334337 still exists in Precise, even if this only affects customized configurations. When this happens, other web servers which run as www-data for their workers will be attempting to reach something that is owned by root:root, which (in nginx) will result in HTTP 502 Bad Gateway errors as "Permission Denied" errors. + While the configuration file specifically states www-data as the user + and group for the workers, the socket is still created as root:root. - The solution is to uncomment the `listen.owner` and `listen.group` directives in the www.conf file that ships with the package. With those changes, the socket is created as www-data:www-data instead of root:root. + The solution to fix this is to uncomment the `listen.owner` and + `listen.group` directives in the www.conf file that ships with the + package. With those changes, the socket is created as www-data:www-data + instead of root:root. I will attach a patch/debdiff later that may provide a resolution for this issue. ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: php5-fpm 5.3.10-1ubuntu3.13 Uname: Linux 2.6.32-042stab090.5 x86_64 ApportVersion: 2.0.1-0ubuntu17.6 Architecture: amd64 Date: Mon Aug 4 20:43:30 2014 MarkForUpload: True ProcEnviron: - TERM=xterm - PATH=(custom, no user) - LANG=en_US.UTF-8 - LC_MESSAGES=POSIX - SHELL=/bin/bash + TERM=xterm + PATH=(custom, no user) + LANG=en_US.UTF-8 + LC_MESSAGES=POSIX + SHELL=/bin/bash SourcePackage: php5 UpgradeStatus: No upgrade log present (probably fresh install) ** Summary changed: - php5-fpm UNIX sockets do not listen as www-data:www-data, cause 502s with webservers trying to use socket + php5-fpm UNIX sockets in Precise do not listen as www-data:www-data by default, and causes 502s with webservers trying to use socket -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/1352617 Title: php5-fpm UNIX sockets in Precise do not listen as www-data:www-data by default, and causes 502s with webservers trying to use socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1352617/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs