Public bug reported:
*** NOTE: This only affects Precise based on my testing. ***
A security change to make the FPM listener have permissions 0660 has
introduced an issue in Precise with how the socket is created. While
this was resolved in later versions as part of Bug #1334337 (including
in Trusty), this bug remains in Precise.
If a user changes the /etc/php5/fpm/pool.d/www.conf file's `listen`
directive to `/var/run/php5-fpm.sock` (as an example), that socket file
is created with owner and group of root:root. This means that the
regression identified in Bug #1334337 still exists in Precise, even if
this only affects customized configurations. When this happens, other
web servers which run as www-data for their workers will be attempting
to reach something that is owned by root:root, which (in nginx) will
result in HTTP 502 Bad Gateway errors as "Permission Denied" errors.
While the configuration file specifically states www-data as the user
and group for the workers, the socket is still created as root:root.
The solution to fix this is to uncomment the `listen.owner` and
`listen.group` directives in the www.conf file that ships with the
package. With those changes, the socket is created as www-data:www-data
instead of root:root.
I will attach a patch/debdiff later that may provide a resolution for
this issue.
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: php5-fpm 5.3.10-1ubuntu3.13
Uname: Linux 2.6.32-042stab090.5 x86_64
ApportVersion: 2.0.1-0ubuntu17.6
Architecture: amd64
Date: Mon Aug 4 20:43:30 2014
MarkForUpload: True
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
LC_MESSAGES=POSIX
SHELL=/bin/bash
SourcePackage: php5
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: php5 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug precise
** Description changed:
*** NOTE: This only affects Precise based on my testing. ***
A security change to make the FPM listener have permissions 0660 has
introduced an issue in Precise with how the socket is created. While
this was resolved in later versions as part of Bug #1334337 (including
in Trusty), this bug remains in Precise.
If a user changes the /etc/php5/fpm/pool.d/www.conf file's `listen`
directive to `/var/run/php5-fpm.sock` (as an example), that socket file
is created with owner and group of root:root. This means that the
regression identified in Bug #1334337 still exists in Precise, even if
this only affects customized configurations. When this happens, other
web servers which run as www-data for their workers will be attempting
to reach something that is owned by root:root, which (in nginx) will
result in HTTP 502 Bad Gateway errors as "Permission Denied" errors.
+ While the configuration file specifically states www-data as the user
+ and group for the workers, the socket is still created as root:root.
- The solution is to uncomment the `listen.owner` and `listen.group` directives
in the www.conf file that ships with the package. With those changes, the
socket is created as www-data:www-data instead of root:root.
+ The solution to fix this is to uncomment the `listen.owner` and
+ `listen.group` directives in the www.conf file that ships with the
+ package. With those changes, the socket is created as www-data:www-data
+ instead of root:root.
I will attach a patch/debdiff later that may provide a resolution for
this issue.
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: php5-fpm 5.3.10-1ubuntu3.13
Uname: Linux 2.6.32-042stab090.5 x86_64
ApportVersion: 2.0.1-0ubuntu17.6
Architecture: amd64
Date: Mon Aug 4 20:43:30 2014
MarkForUpload: True
ProcEnviron:
- TERM=xterm
- PATH=(custom, no user)
- LANG=en_US.UTF-8
- LC_MESSAGES=POSIX
- SHELL=/bin/bash
+ TERM=xterm
+ PATH=(custom, no user)
+ LANG=en_US.UTF-8
+ LC_MESSAGES=POSIX
+ SHELL=/bin/bash
SourcePackage: php5
UpgradeStatus: No upgrade log present (probably fresh install)
** Summary changed:
- php5-fpm UNIX sockets do not listen as www-data:www-data, cause 502s with
webservers trying to use socket
+ php5-fpm UNIX sockets in Precise do not listen as www-data:www-data by
default, and causes 502s with webservers trying to use socket
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/1352617
Title:
php5-fpm UNIX sockets in Precise do not listen as www-data:www-data by
default, and causes 502s with webservers trying to use socket
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1352617/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
