php5-fpm UNIX sockets in Precise do not listen as www-data:www-data by default, and causes 502s with webservers trying to use socket
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
*** NOTE: This only affects Precise based on my testing. ***
A security change to make the FPM listener have permissions 0660 has introduced an issue in Precise with how the socket is created. While this was resolved in later versions as part of Bug #1334337 (including in Trusty), this bug remains in Precise.
If a user changes the /etc/php5/
While the configuration file specifically states www-data as the user and group for the workers, the socket is still created as root:root.
The solution to fix this is to uncomment the `listen.owner` and `listen.group` directives in the www.conf file that ships with the package. With those changes, the socket is created as www-data:www-data instead of root:root.
I will attach a patch/debdiff later that may provide a resolution for this issue.
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: php5-fpm 5.3.10-1ubuntu3.13
Uname: Linux 2.6.32-042stab090.5 x86_64
ApportVersion: 2.0.1-0ubuntu17.6
Architecture: amd64
Date: Mon Aug 4 20:43:30 2014
MarkForUpload: True
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
LC_MESSAGES=POSIX
SHELL=/bin/bash
SourcePackage: php5
UpgradeStatus: No upgrade log present (probably fresh install)
summary: |
- php5-fpm UNIX sockets do not listen as www-data:www-data, cause 502s - with webservers trying to use socket + php5-fpm UNIX sockets in Precise do not listen as www-data:www-data by + default, and causes 502s with webservers trying to use socket |
Changed in php5 (Ubuntu Precise): | |
milestone: | none → precise-updates |
I'm attaching the patch I wrote for this.
As this patch is ultimately going to repair a problem introduced by a security fix, by forcing php5-fpm to force a specific user/group to be the owner:group settings for the fpm socket, I would like the Security Team to review the change preliminarily, while I work on getting a debdiff made. This is solely because it changes how the php5-fpm package has its /etc/php5/ fpm/pool. d/www.conf file is generated, changing the default lines slightly. I'd like to make sure this doesn't break anything else or introduce any other issues.