How do i run php-fpm master process as non root user
root 10275 0.0 0.5 192856 23104 ? Ss Nov20 0:01 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
Related
My issue is as follows:
1 server running Debian 11 (though I've tested with 9 and 10 and they both show the same behaviour) with 2 websites both configured to run with php-fpm & apache. Each site has a single index.php file and the contents of those files is <?php phpinfo(); ?>. 1 site has been set to run php8.0 and the other php8.1, this represents a real world situation that I'm dealing with. This has been set up by including an apache config file into my main apache config file for each site with the contents:
<IfModule proxy_fcgi_module>
# Enable http authorization headers
<IfModule setenvif_module>
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
<FilesMatch ".+\.ph(ar|p|tml)$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/run/php/php8.0-fpm.sock|fcgi://localhost"
</If>
</FilesMatch>
<FilesMatch ".+\.(phps|inc)$">
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(ar|p|ps|tml)$">
Require all denied
</FilesMatch>
The config file for php8.1 then uses the php8.1-fpm.sock. ps aux shows the following:
root 114787 0.0 0.3 222780 27312 ? Ss 17:10 0:00 php-fpm: master process (/etc/php/8.0/fpm/php-fpm.conf)
www-data 114788 0.0 0.5 247140 48664 ? S 17:10 0:03 php-fpm: pool www
www-data 114789 0.0 0.5 247128 48592 ? S 17:10 0:03 php-fpm: pool www
www-data 114790 0.0 0.6 247136 48748 ? S 17:10 0:03 php-fpm: pool www
www-data 114791 0.0 0.5 247128 48676 ? S 17:10 0:05 php-fpm: pool www
www-data 114792 0.0 0.5 247132 48548 ? S 17:10 0:04 php-fpm: pool www
root 114802 0.0 0.3 227196 28120 ? Ss 17:10 0:00 php-fpm: master process (/etc/php/8.1/fpm/php-fpm.conf)
www-data 114803 0.0 0.3 227764 26744 ? S 17:10 0:00 php-fpm: pool www
www-data 114804 0.0 0.1 227196 8896 ? S 17:10 0:00 php-fpm: pool www
www-data 114805 0.0 0.1 227196 8896 ? S 17:10 0:00 php-fpm: pool www
www-data 114806 0.0 0.1 227196 8896 ? S 17:10 0:00 php-fpm: pool www
What I really don't understand is why when I keep refreshing the individual pages do I sometimes see the 8.0 site showing that it is using php8.1 and vice versa. I sometimes have to refresh the pages 10-20 times before it switches but it never fails to show up sooner rather than later.
How would I go about figuring out why this is happening, or is there something very obvious that I'm missing?
Many thanks in advance!
Today, I want to enable the slow-logs with PHP-FPM, and then I configured some parameters into the php-fpm.conf.
In the end, I have a problem, it can create the slow-log, but can't write any contents into the slow-log.
Can someone help me, thanks a lot?
My website is running in Docker, and my Nginx use Unix Sockets to communicate with PHP-FPM, and Nginx running as Root
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm7.sock;
}
My php-fpm.conf is
[www123]
user = app
group = app
listen = /var/run/php-fpm7.sock
listen.owner = app
listen.group = app
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /app/logs/my_slow_log/$pool.log.slow
request_slowlog_timeout = 1s
Next step, I created the directory app/logs/my_slow_log and restart the PHP-FPM. It created the file www123.log.slow in directory app/logs/my_slow_log, but the file permission/user/group is wrong. It was 600 / root / root
/app/logs/my_slow_log # ls -al
total 4
drwxr-xr-x 2 app app 28 May 16 19:32 .
drwxrwxrwx 3 app app 4096 May 16 19:00 ..
-rw------- 1 root root 0 May 16 19:32 www123.log.slow
There are some running processes
app/logs/my_slow_log # ps -ef
PID USER TIME COMMAND
1 root 0:00 runsvdir /etc/service
7 root 0:00 runsv nginx
8 root 0:00 runsv javabridge
9 root 0:00 runsv php7
10 root 0:00 java -jar /usr/lib/jvm/java-1.8-openjdk/jre/lib/ext/JavaBridge.jar SERVLET_LOCAL:8080
11 root 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf -g daemon off;
12 root 0:00 {php-fpm7} php-fpm: master process (/etc/php7/php-fpm.conf)
13 root 0:00 nginx: worker process
14 root 0:00 nginx: worker process
15 root 0:00 nginx: worker process
16 root 0:00 nginx: worker process
22 app 0:00 {php-fpm7} php-fpm: pool www123
23 app 0:00 {php-fpm7} php-fpm: pool www123
I find the master php-fpm process was run as Root, but the child process was run as app, so I modified the php-fpm.conf change
user = root
group = root
listen.owner = root
listen.group = root
then restart PHP-FPM, I got some error message
ERROR: [pool www123] please specify user and group other than root
ERROR: FPM initialization failed
It can't work as Root.
I think the problem was /app/logs/my_slow_log/www123.log.slow created by PHP-FPM master process with root, and my child process was user app, so it can't write anything into the slow-log.
I didn't know what truly happened, can anybody help me?
Thanks.
You can use this command (chmod 777 my_slow_log), I think Log directory permission is not important.
I have on my server running custom php process /etc/php/7.1/fpm/master.d/custom_name.conf
root 2620 0.0 2.6 412440 26808 ? Ss May31 0:33 php-fpm: master process (/etc/php/7.1/fpm/master.d/custom_name.conf)
root 6822 0.0 0.0 13384 916 pts/1 S+ 19:58 0:00 grep php
root 27575 0.0 1.1 410680 11828 ? Ss May31 0:33 php-fpm: master process (/etc/php5/fpm/php-fpm.conf)
www-data 27578 0.0 0.5 410680 5760 ? S May31 0:00 php-fpm: pool www
www-data 27579 0.0 0.5 410680 5760 ? S May31 0:00 php-fpm: pool www
And config exists in directory /etc/php/fpm/master.d/custom_name.conf.
But i don't even know how to restart this service. I changed file config and tried service php7.1-fpm stop but the process is still alive.
If I try service php7.1-fpm start or service php7.1-fpm restart process /etc/php/7.1/fpm/php-fpm.conf appears, but old process still working. Maybe command service php7.1-fpm has parameters where i can pass extra config data. Example config file from master.d directory
Here is config of this file /etc/php/7.1/fpm/master.d/custom_name.conf:
[global]
pid = /run/php7.1-fpm.custom_name.pid
error_log = /var/log/php7.1-fpm.log
[custom_name]
user = custom_name
group = custom_name
listen = /var/run/php7.1-fpm.custom_name.sock
listen.owner = www-data
listen.group = www-data
pm = ondemand
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.status_path = /fpm-status
chdir = /
catch_workers_output = yes
php_admin_value[session.save_path] = /var/www/custom_name.com/sessions
php_admin_value[open_basedir] = /var/www/custom_name.com/code/public:/tmp:/usr/share/php:/var/www/tools/
php_admin_flag[log_errors] = on
php_admin_flag[opcache.enable] = on
Thanks in advance
Finally hoster said me how restart this process:
sudo service php7.2-fpm#custom_name restart
My Caddy File
http://bot.vibs.tech {
root /home/caddy/www/botsite
tls off
errors {
404 /home/caddy/www/botsite/404.html
}
fastcgi / 127.0.0.1:9001 php {
ext .php
split .php
index index.php
}
}
The Webpage http://bot.vibs.tech/test.php
Home Page http://bot.vibs.tech
My PHP Script
<?php
if($_POST["submit"]) {
$test=$_POST["botsname"];
$redis->set(';message';, $test;);
$value = $redis->get('message');
<p>$value</p>
}
if (empty($url)) {
echo "<h2><div style=\"color: Black;\">THANK YOU, YOUR BOT IS BEING MADE!</div></h2>";
echo "<h2><div style=\color: Black;\"><a href=http://bot.vibs.tech/>HOME</a></div></h2>";
}
Tried lots of different things, not sure what else i could try to do.
Also im trying to implement Redis to this so i can have a database from a form im currently working on.
Additional Info
tried /etc/init.d/php7.0-fpm status
● php7.0-fpm.service - The PHP 7.0 FastCGI Process Manager
Loaded: loaded (/lib/systemd/system/php7.0-fpm.service; enabled; vendor
preset: enabled)
Active: active (running) since Sat 2017-08-26 11:27:49 EDT; 4min 55s ago
Process: 17295 ExecStartPre=/usr/lib/php/php7.0-fpm-checkconf (code=exited, status=0/SUCCESS)
Main PID: 17304 (php-fpm7.0)
Status: "Processes active: 0, idle: 2, Requests: 0, slow: 0, Traffic: 0req/sec"
CGroup: /system.slice/php7.0-fpm.service
├─17304 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
├─17305 php-fpm: pool www
└─17306 php-fpm: pool www
Aug 26 11:27:49 Vibs systemd[1]: Starting The PHP 7.0 FastCGI Process Manager...
Aug 26 11:27:49 Vibs systemd[1]: Started The PHP 7.0 FastCGI Process Manager.
Hint: Some lines were ellipsized, use -l to show in full.
Says its started.
Also Did, ps aux | grep php-fpm
root 17304 0.0 0.8 211748 17128 ? Ss 11:27 0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
www-data 17305 0.0 0.1 211748 3224 ? S 11:27 0:00 php-fpm: pool www
www-data 17306 0.0 0.1 211748 3224 ? S 11:27 0:00 php-fpm: pool www
caddy 18003 0.0 0.0 11228 884 pts/0 S+ 15:33 0:00 grep --color=auto php-fpm
Perhaps i'm missing something extremely basic, but how is it that my web server is able execute and serve content from php files that have permission 000?
Here's the file in question: http://178.62.125.162/test.php
Location is:
/usr/share/nginx/html/wordpress/test.php
Here's the ls:
---------- 1 deploy deploy 21 May 22 09:40 test.php
nginx.conf has line:
user www-data;
So it's not running as root or anything.
ps aux | grep [n]ginx
root 30223 0.0 0.1 85876 1364 ? Ss May21 0:00 nginx: master process /usr/sbin/nginx
www-data 30224 0.0 0.1 86172 1796 ? S May21 0:03 nginx: worker process
www-data 30225 0.0 0.1 86172 1796 ? S May21 0:03 nginx: worker process
www-data 30226 0.0 0.2 86516 2732 ? S May21 0:00 nginx: worker process
www-data 30227 0.0 0.1 86172 1796 ? S May21 0:03 nginx: worker process
Looks normal to me, AFAIK the master process running as root is expected.
And php-fm:
ps aux | grep php
root 30311 0.0 1.8 309068 18580 ? Ss May21 0:02 php-fpm: master process (/etc/php5/fpm/php-fpm.conf)
www-data 30314 0.0 3.5 393324 36176 ? S May21 0:01 php-fpm: pool www
www-data 30315 0.0 3.1 388956 32112 ? S May21 0:01 php-fpm: pool www
www-data 30391 0.0 2.9 389828 29528 ? S May21 0:00 php-fpm: pool www
I can't even open the file myself, logged in as deploy:
cat test.php
cat: test.php: Permission denied
php test.php
Could not open input file: test.php
Googled everywhere, but most things I find are related to the opposite- people getting Forbidden errors.
Perhaps it's because it's in /usr/share? Thanks!
Extra info:
Ubuntu x64 LTS
PHP-FM
Update:
Restarting the php-fm service after changing the permission fixes it. But this makes no sense to me:
chmod 000 test.php - web echos "test"
service php5-fm restart - Access Denied
chmod 644 test.php - web echos "test". No need for a restart this time?
chmod 000 test.php - web echos "test".
Thanks to Alexander Ushakov for providing the answers.
The file with the readable permission had been cached by php-fm. Restarting php-fm meant that the cache was cleared and the web server then served the new file with the restricted access.