Ubuntu
php5 package

php5-fpm UNIX sockets in Precise do not listen as www-data:www-data by default, and causes 502s with webservers trying to use socket

  1. Precise (12.04)
  2. Bug #1352617
Bug #1352617 reported by Thomas Ward
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
New
Undecided
Unassigned
Precise
Won't Fix
Undecided
Unassigned
Ubuntu precise-updates

Bug Description

*** NOTE: This only affects Precise based on my testing. ***

A security change to make the FPM listener have permissions 0660 has introduced an issue in Precise with how the socket is created. While this was resolved in later versions as part of Bug #1334337 (including in Trusty), this bug remains in Precise.

If a user changes the /etc/php5/fpm/pool.d/www.conf file's `listen` directive to `/var/run/php5-fpm.sock` (as an example), that socket file is created with owner and group of root:root. This means that the regression identified in Bug #1334337 still exists in Precise, even if this only affects customized configurations. When this happens, other web servers which run as www-data for their workers will be attempting to reach something that is owned by root:root, which (in nginx) will result in HTTP 502 Bad Gateway errors as "Permission Denied" errors.

While the configuration file specifically states www-data as the user and group for the workers, the socket is still created as root:root.

The solution to fix this is to uncomment the `listen.owner` and `listen.group` directives in the www.conf file that ships with the package. With those changes, the socket is created as www-data:www-data instead of root:root.

I will attach a patch/debdiff later that may provide a resolution for this issue.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: php5-fpm 5.3.10-1ubuntu3.13
Uname: Linux 2.6.32-042stab090.5 x86_64
ApportVersion: 2.0.1-0ubuntu17.6
Architecture: amd64
Date: Mon Aug 4 20:43:30 2014
MarkForUpload: True
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 LC_MESSAGES=POSIX
 SHELL=/bin/bash
SourcePackage: php5
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Thomas Ward (teward) wrote :
description: updated
Thomas Ward (teward)
summary: - php5-fpm UNIX sockets do not listen as www-data:www-data, cause 502s
- with webservers trying to use socket
+ php5-fpm UNIX sockets in Precise do not listen as www-data:www-data by
+ default, and causes 502s with webservers trying to use socket
Revision history for this message
Thomas Ward (teward) wrote :

I'm attaching the patch I wrote for this.

As this patch is ultimately going to repair a problem introduced by a security fix, by forcing php5-fpm to force a specific user/group to be the owner:group settings for the fpm socket, I would like the Security Team to review the change preliminarily, while I work on getting a debdiff made. This is solely because it changes how the php5-fpm package has its /etc/php5/fpm/pool.d/www.conf file is generated, changing the default lines slightly. I'd like to make sure this doesn't break anything else or introduce any other issues.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "fix-fpm-socket-owner-group.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
C de-Avillez (hggdh2)
Changed in php5 (Ubuntu Precise):
milestone: none → precise-updates
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I'm sceptical of pushing an update for config files to precise; it's only got a year left, people probably have it working or they're deploying trusty or xenial instead. The change itself looks fine though.

Thanks

Revision history for this message
Thomas Ward (teward) wrote :

Note that "UNIX Sockets" applies only when configured to use them - default is to use a TCP listener.

Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in php5 (Ubuntu Precise):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.