Skip to content
Advertisement

PHP-FPM can’t access files in home directory — stat EACCES — “File not found”

I recently updated PHP-FPM to version 7.4.2 (on Arch Linux) and noticed it stopped working (everything was fine before) by responding “File not found” to all clients.

The process, and also nginx, run under my personal user account (kevin UID 1000). Nginx serves static content from my home directory /home/kevin/.web just fine but PHP-FPM can’t execute PHP scripts in it.

I straced the PHP-FPM worker process and here is the interesting part:

lstat("/home/kevin/.web/test.php", 0x7ffe0d4bf1f0) = -1 EACCES (Permission denied)
stat("/home/kevin/.web", 0x7ffe0d4c1640) = -1 EACCES (Permission denied)
stat("/home/kevin", 0x7ffe0d4c1640)     = -1 EACCES (Permission denied)
stat("/home", {st_mode=S_IFDIR|000, st_size=40, ...}) = 0
stat("", 0x7ffe0d4c1640)                = -1 ENOENT (No such file or directory)

And there the file permissions (as obtained using ls -l):

drwxr-xr-x 1 root  root  /home
drwxrwx--- 1 kevin kevin /home/kevin
drwxr-xr-x 1 kevin kevin /home/kevin/.web
-rw-r--r-- 1 kevin kevin /home/kevin/.web/test.php

I’m 100 % positive the PHP-FPM worker process runs under my user account, its status file under procfs shows:

$ grep "[UG]id" /proc/{830,831}/status
/proc/830/status:Uid:   1000    1000    1000    1000
/proc/830/status:Gid:   1000    1000    1000    1000
/proc/831/status:Uid:   1000    1000    1000    1000
/proc/831/status:Gid:   1000    1000    1000    1000

htop:

    PID    TGID USER       NI   RES MEM% S CPU% START   TIME+  Command
    791     791 root        0 21752  0.1 S  0.0 17:49  0:00.26 ├─ php-fpm: master process (/etc/php/php-fpm.conf)
    831     831 kevin       0 11336  0.1 S  0.0 17:49  0:00.00 │  ├─ php-fpm: pool www
    830     830 kevin       0 11336  0.1 S  0.0 17:49  0:00.00 │  └─ php-fpm: pool www
    813     813 root        0  1348  0.0 S  0.0 17:49  0:00.00 ├─ nginx: master process
    814     814 kevin       0  6672  0.0 S  0.0 17:49  0:00.01 │  └─ nginx: worker process  

Please note that nginx can perfectly access files in the same directory with identical permissions!

How can a process running under kevin fails (EACCES) to stat files owned by itself with proper permissions?

Advertisement

Answer

I found out why it fails by searching the changelog of recent PHP versions.

In version 7.4.0, the systemd service unit was updated to include ProtectHome=true; I’m still curious to know how this works. Setting it to false fixed the problem.

Sources:
https://github.com/php/php-src/commit/40c4d7f1820df1872a71ab07fd26da45a203e37f#commitcomment-36536173
https://bbs.archlinux.org/viewtopic.php?id=251050

1 People found this is helpful
Advertisement