php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #80498 error log and FPM access log file permissions settings
Submitted: 2020-12-09 08:47 UTC Modified: 2020-12-11 10:23 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: jordan dot lenuff at gmail dot com Assigned:
Status: Open Package: *Configuration Issues
PHP Version: 7.4.13 OS: CentOS 7
Private report: No CVE-ID: None
 [2020-12-09 08:47 UTC] jordan dot lenuff at gmail dot com
Description:
------------
On several PHP versions, I noticed that error log files do not have correct permissions with PHP-FPM.
I did a fresh compilation of 7.4.13 version of PHP with FPM, integrated with systemd, and I don't understand why the error log files permissions are wrong.
The files created by PHP scripts have correct permissions, but files created by PHP daemon have wrong permissions.
As far as I can search over the net, it's seems PHP does not provide umask configuration for error log files.

Test script:
---------------
mkdir -p /local/php/php-7.4.13 /local/builds /local/php/sockets /local/php/sessions
wget https://www.php.net/distributions/php-7.4.13.tar.gz
tar -zxf php-7.4.13.tar.gz -C /local/builds
cd /local/builds/php-7.4.13
./configure \
--prefix=/local/php/php-7.4.13 \
--with-config-file-path=/local/php/php-7.4.13 \
--disable-all \
--enable-fpm \
--with-fpm-user=php-fpm \
--with-fpm-group=php-fpm \
--with-fpm-systemd \
... and whatever you want
&& make && make install
cp /local/php/php-7.4.13/etc/php-fpm.conf.default /local/php/php-7.4.13/etc/php-fpm.conf
cp /local/builds/php-7.4.13/php.ini-production /local/php/php-7.4.13/php.ini
echo "[localhost]" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "listen = /local/php/sockets/php-7.4.13_\$pool.sock" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "listen.owner = php-fpm" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "listen.group = www" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "listen.mode = 0660" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm = dynamic" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm.max_children = 5" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm.start_servers = 2" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm.min_spare_servers = 1" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm.max_spare_servers = 3" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "pm.status_path = /php-fpm-status" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "ping.path = /php-fpm-ping" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "access.log = /data/logs/\$pool/\$pool_php-7.4.13.access.log" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "slowlog = /data/logs/\$pool/\$pool_php-7.4.13.log.slow" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_log] = /data/logs/\$pool/\$pool_php-7.4.13.log" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "php_admin_flag[log_errors] = on" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_reporting] = E_ALL" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "php_admin_value[session.save_path] = \"/local/php/sessions/\$pool/\"" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
echo "php_value[session.save_path] = \"/local/php/\$pool/\"" >> /local/php/php-7.4.13/etc/php-fpm.d/localhost.conf
chown -R php-fpm:www /local/php
cp /local/builds/php-7.4.13/sapi/fpm/php-fpm.service /usr/lib/systemd/system/php-fpm-7.4.13.service
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www/g' /usr/lib/systemd/system/php-fpm-7.4.13.service
chmod o+r /usr/lib/systemd/system/php-fpm-7.4.13.service
systemctl daemon-reload
systemctl start php-fpm-7.4.13.service

And then, some Apache configuration to send php files to the PHP socket.
Here is the php code to create the test.txt file :
<?php

$file = '/data/logs/localhost/test.txt';
$current = file_get_contents($file);
$current .= "Une ligne\n";
file_put_contents($file, $current);

?>


Expected result:
----------------
drwxrwx---  2 php-fpm www  4096  8 déc.  18:17 .
drwxrwxr-x 22 php-fpm www  4096  8 déc.  16:18 ..
-rw-rw----  1 php-fpm www 82004  9 déc.  09:23 localhost_php-7.4.13.access.log
-rw-rw----  1 php-fpm www   312  8 déc.  18:17 localhost_php-7.4.13.log
-rw-rw----  1 php-fpm www    10  8 déc.  18:17 test.txt


Actual result:
--------------
drwxrwx---  2 php-fpm www  4096  8 déc.  18:17 .
drwxrwxr-x 22 php-fpm www  4096  8 déc.  16:18 ..
-rw-------  1 php-fpm www 82004  9 déc.  09:23 localhost_php-7.4.13.access.log
-rw-r-----  1 php-fpm www   312  8 déc.  18:17 localhost_php-7.4.13.log
-rw-rw----  1 php-fpm www    10  8 déc.  18:17 test.txt


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-09 09:25 UTC] requinix@php.net
-Summary: error log file permissions setting +Summary: error log and FPM access log file permissions settings -Status: Open +Status: Feedback
 [2020-12-09 09:25 UTC] requinix@php.net
Currently, FPM's access log is hardcoded to 0600 and the general error_log to 0644.

https://github.com/php/php-src/blob/PHP-7.4.13/sapi/fpm/fpm/fpm_log.c#L43
https://github.com/php/php-src/blob/PHP-7.4.13/main/main.c#L873

They've both been like that for a very long time so it's hard to say what the reasoning for each choice was, however I would guess the access log is unreadable because it may contain private information?

But besides that, why should either file should be *writable* by Group?
 [2020-12-09 13:44 UTC] jordan dot lenuff at gmail dot com
Why these files should be readable and/or writable for group depends on individual needs.
In my opinion, these files (error log and access) should at least inherit the permissions of the PHP-FPM process (php-fpm:www and 0007 umask in my case).
Or better yet : their permissions could be defined by a "log_files_permissions" parameter for example. If the parameter is not defined, they inherit the actual value 0600 and 0644 by default.
 [2020-12-11 10:23 UTC] jordan dot lenuff at gmail dot com
-Status: Feedback +Status: Open
 [2020-12-11 10:23 UTC] jordan dot lenuff at gmail dot com
Switch to Open status (ommited)
 [2021-01-22 04:37 UTC] colleenlopez1985 at gmail dot com
PHP-FPM recommended to open the error log, so you can see the error if the need to create their own log directory PHP directory, assign permissions must Php is also possible to also open access journal, is in the same configuration file.



https://mypennmedicine.me/
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 13:01:29 2024 UTC