I recently updated PHP-FPM to version 7.4.2 (on Arch Linux) and noticed it stopped working (everything was fine before) by responding “File not found” to all clients.
The process, and also nginx, run under my personal user account (kevin
UID 1000). Nginx serves static content from my home directory /home/kevin/.web
just fine but PHP-FPM can’t execute PHP scripts in it.
I strace
d the PHP-FPM worker process and here is the interesting part:
lstat("/home/kevin/.web/test.php", 0x7ffe0d4bf1f0) = -1 EACCES (Permission denied) stat("/home/kevin/.web", 0x7ffe0d4c1640) = -1 EACCES (Permission denied) stat("/home/kevin", 0x7ffe0d4c1640) = -1 EACCES (Permission denied) stat("/home", {st_mode=S_IFDIR|000, st_size=40, ...}) = 0 stat("", 0x7ffe0d4c1640) = -1 ENOENT (No such file or directory)
And there the file permissions (as obtained using ls -l
):
drwxr-xr-x 1 root root /home drwxrwx--- 1 kevin kevin /home/kevin drwxr-xr-x 1 kevin kevin /home/kevin/.web -rw-r--r-- 1 kevin kevin /home/kevin/.web/test.php
I’m 100 % positive the PHP-FPM worker process runs under my user account, its status
file under procfs
shows:
$ grep "[UG]id" /proc/{830,831}/status /proc/830/status:Uid: 1000 1000 1000 1000 /proc/830/status:Gid: 1000 1000 1000 1000 /proc/831/status:Uid: 1000 1000 1000 1000 /proc/831/status:Gid: 1000 1000 1000 1000
htop:
PID TGID USER NI RES MEM% S CPU% START TIME+ Command 791 791 root 0 21752 0.1 S 0.0 17:49 0:00.26 ├─ php-fpm: master process (/etc/php/php-fpm.conf) 831 831 kevin 0 11336 0.1 S 0.0 17:49 0:00.00 │ ├─ php-fpm: pool www 830 830 kevin 0 11336 0.1 S 0.0 17:49 0:00.00 │ └─ php-fpm: pool www 813 813 root 0 1348 0.0 S 0.0 17:49 0:00.00 ├─ nginx: master process 814 814 kevin 0 6672 0.0 S 0.0 17:49 0:00.01 │ └─ nginx: worker process
Please note that nginx can perfectly access files in the same directory with identical permissions!
How can a process running under kevin
fails (EACCES
) to stat
files owned by itself with proper permissions?
Advertisement
Answer
I found out why it fails by searching the changelog of recent PHP versions.
In version 7.4.0, the systemd service unit was updated to include ProtectHome=true
; I’m still curious to know how this works. Setting it to false fixed the problem.
Sources:
https://github.com/php/php-src/commit/40c4d7f1820df1872a71ab07fd26da45a203e37f#commitcomment-36536173
https://bbs.archlinux.org/viewtopic.php?id=251050