PHP :: Request #80498 :: error log and FPM access log file permissions settings

error log and FPM access log file permissions settings

Submitted:

2020-12-09 08:47 UTC

Modified:

2020-12-11 10:23 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

jordan dot lenuff at gmail dot com

Assigned:

Status:

Open

Package:

*Configuration Issues

PHP Version:

7.4.13

OS:

CentOS 7

Private report:

CVE-ID:

None

View Developer Edit

[2020-12-09 08:47 UTC] jordan dot lenuff at gmail dot com

Description:
------------
On several PHP versions, I noticed that error log files do not have correct permissions with PHP-FPM.
I did a fresh compilation of 7.4.13 version of PHP with FPM, integrated with systemd, and I don't understand why the error log files permissions are wrong.
The files created by PHP scripts have correct permissions, but files created by PHP daemon have wrong permissions.
As far as I can search over the net, it's seems PHP does not provide umask configuration for error log files.

Test script:
---------------
mkdir -p /local/php/php-7.4.13 /local/builds /local/php/sockets /local/php/sessions
wget https://www.php.net/distributions/php-7.4.13.tar.gz
tar -zxf php-7.4.13.tar.gz -C /local/builds
cd /local/builds/php-7.4.13
./configure \
--prefix=/local/php/php-7.4.13 \
--with-config-file-path=/local/php/php-7.4.13 \
--disable-all \
--enable-fpm \
--with-fpm-user=php-fpm \
--with-fpm-group=php-fpm \
--with-fpm-systemd \
... and whatever you want
&& make && make install
cp /local/php/php-7.4.13/etc/php-fpm.conf.default /local/php/php-7.4.13/etc/php-fpm.conf
cp /local/builds/php-7.4.13/php.ini-production /local/php/php-7.4.13/php.ini
echo "[localhost]" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "listen = /local/php/sockets/php-7.4.13_\$pool.sock" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "listen.owner = php-fpm" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "listen.group = www" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "listen.mode = 0660" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm = dynamic" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm.max_children = 5" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm.start_servers = 2" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm.min_spare_servers = 1" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm.max_spare_servers = 3" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm.status_path = /php-fpm-status" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "ping.path = /php-fpm-ping" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "access.log = /data/logs/\$pool/\$pool_php-7.4.13.access.log" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "slowlog = /data/logs/\$pool/\$pool_php-7.4.13.log.slow" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_log] = /data/logs/\$pool/\$pool_php-7.4.13.log" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "php_admin_flag[log_errors] = on" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_reporting] = E_ALL" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "php_admin_value[session.save_path] = \"/local/php/sessions/\$pool/\"" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "php_value[session.save_path] = \"/local/php/\$pool/\"" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
chown -R php-fpm:www /local/php
cp /local/builds/php-7.4.13/sapi/fpm/php-fpm.service /usr/lib/systemd/system/php-fpm-7.4.13.service
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www/g' /usr/lib/systemd/system/php-fpm-7.4.13.service
chmod o+r /usr/lib/systemd/system/php-fpm-7.4.13.service
systemctl daemon-reload
systemctl start php-fpm-7.4.13.service

And then, some Apache configuration to send php files to the PHP socket.
Here is the php code to create the test.txt file :
<?php

$file = '/data/logs/localhost/test.txt';
$current = file_get_contents($file);
$current .= "Une ligne\n";
file_put_contents($file, $current);

?>


Expected result:
----------------
drwxrwx---  2 php-fpm www  4096  8 déc.  18:17 .
drwxrwxr-x 22 php-fpm www  4096  8 déc.  16:18 ..
-rw-rw----  1 php-fpm www 82004  9 déc.  09:23 localhost_php-7.4.13.access.log
-rw-rw----  1 php-fpm www   312  8 déc.  18:17 localhost_php-7.4.13.log
-rw-rw----  1 php-fpm www    10  8 déc.  18:17 test.txt


Actual result:
--------------
drwxrwx---  2 php-fpm www  4096  8 déc.  18:17 .
drwxrwxr-x 22 php-fpm www  4096  8 déc.  16:18 ..
-rw-------  1 php-fpm www 82004  9 déc.  09:23 localhost_php-7.4.13.access.log
-rw-r-----  1 php-fpm www   312  8 déc.  18:17 localhost_php-7.4.13.log
-rw-rw----  1 php-fpm www    10  8 déc.  18:17 test.txt

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-12-09 09:25 UTC] requinix@php.net

-Summary: error log file permissions setting +Summary: error log and FPM access log file permissions settings -Status: Open +Status: Feedback

[2020-12-09 09:25 UTC] requinix@php.net

Currently, FPM's access log is hardcoded to 0600 and the general error_log to 0644.

https://github.com/php/php-src/blob/PHP-7.4.13/sapi/fpm/fpm/fpm_log.c#L43
https://github.com/php/php-src/blob/PHP-7.4.13/main/main.c#L873

They've both been like that for a very long time so it's hard to say what the reasoning for each choice was, however I would guess the access log is unreadable because it may contain private information?

But besides that, why should either file should be *writable* by Group?

[2020-12-09 13:44 UTC] jordan dot lenuff at gmail dot com

Why these files should be readable and/or writable for group depends on individual needs.
In my opinion, these files (error log and access) should at least inherit the permissions of the PHP-FPM process (php-fpm:www and 0007 umask in my case).
Or better yet : their permissions could be defined by a "log_files_permissions" parameter for example. If the parameter is not defined, they inherit the actual value 0600 and 0644 by default.

[2020-12-11 10:23 UTC] jordan dot lenuff at gmail dot com

-Status: Feedback +Status: Open

[2020-12-11 10:23 UTC] jordan dot lenuff at gmail dot com

Switch to Open status (ommited)

[2021-01-22 04:37 UTC] colleenlopez1985 at gmail dot com

PHP-FPM recommended to open the error log, so you can see the error if the need to create their own log directory PHP directory, assign permissions must Php is also possible to also open access journal, is in the same configuration file.



https://mypennmedicine.me/

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 15:00:01 2025 UTC