nginx/PHP file permission problems after yum update

General support questions
Mayfly
Posts: 6
Joined: 2014/10/01 07:29:23

nginx/PHP file permission problems after yum update

Post by Mayfly » 2014/10/01 07:56:15

After an update yesterday, file permissions were changed on:
/var/lib/php/session
/var/cache/nginx


This caused a failure to create PHP sessions with nginx/php-fpm and disabled phpMyAdmin.

Resolved by:
sudo chown root:nginx /var/lib/php/session
sudo chown -R nginx: /var/cache/nginx


Hope this helps someone...

User avatar
TrevorH
Forum Moderator
Posts: 32156
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: nginx/PHP file permission problems after yum update

Post by TrevorH » 2014/10/01 13:59:57

The /var/lib/php/session directory is owned by the php package so it thinks it knows how it should look and puts it back that way when it's updated. If you want to change the permissions then I suspect that altering its location in the php.ini file is a better way to preserve the permissions you want. Of course that may then have selinux knock-on effects...

Not sure about the nginx directory since that's not CentOS supplied but it's probably the same story.
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke

Mayfly
Posts: 6
Joined: 2014/10/01 07:29:23

Re: nginx/PHP file permission problems after yum update

Post by Mayfly » 2014/10/01 15:12:32

Thanks Trevor.

The issue is not so much the locations (which were set to defaults) as to the fact that the PHP package changed the ownership from 'nginx' back to 'apache', so breaking a production web server using Nginx. I agree that Nginx is not Centos supplied, but as it is becoming deployed quite widely now it would be nice to see this honoured by PHP package updates - and thus not require an artificial 'apache' user account.

Good point about SELinux, I seem to remember having to use the following context for PHP session files:

system_u:object_r:httpd_var_run_t:s0

One could at least argue that 'httpd' is slightly more generic than 'apache'!

Cheers, Alasdair

User avatar
remirepo
Posts: 439
Joined: 2014/09/21 09:07:12
Location: France
Contact:

Re: nginx/PHP file permission problems after yum update

Post by remirepo » 2014/10/01 15:23:47

/var/lib/php/session is owned by apache, as used by apache.

If you change the owner of php-fpm process, you also have to change session path.

- change owner of /var/lib/php/session => bad solution

- change session.save_path to a new location owned by the correct owner => good solution (as TrevorH said)

On C7, this is (I think) explained in the comments (but same can apply to C6)

In /etc/php.ini

Code: Select all

; RPM note : session directory must be owned by process owner
; for mod_php, see /etc/httpd/conf.d/php.conf
; for php-fpm, see /etc/php-fpm.d/*conf
;session.save_path = "/tmp"
And so, in your pool configuration, /etc/php-fpm.d/www.conf

Code: Select all

; Set session path to a directory owned by process user
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
So, you can change to

Code: Select all

; Set session path to a directory owned by process user
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/nginx-session
BTW, I don't know why you think you have to change the user of php-fpm ;)
Remi's Repository - Forum - Blog

Mayfly
Posts: 6
Joined: 2014/10/01 07:29:23

Re: nginx/PHP file permission problems after yum update

Post by Mayfly » 2014/10/01 16:11:52

Thanks again,

Don't want to prolong this too much - as we are getting into change request territory here...

I suppose I don't really understand why the PHP package even needs to create or modify this directory at install or upgrade time. Surely it would be better for it to be created on the fly if necessary - and thus just inherit the process owner... It seems that there is a good hint in the path name here that it should be web server agnostic:

/var/lib/php/session

Still don't know what happened to /var/cache/nginx... Maybe we can lay the blame for that at the door of an Nginx update; it was late at night and I clearly didn't keep a close enough eye on things! (Although fortunately, I did discover the damage fairly quickly)

User avatar
TrevorH
Forum Moderator
Posts: 32156
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: nginx/PHP file permission problems after yum update

Post by TrevorH » 2014/10/01 19:44:31

The point is that the php package OWNS that directory so it does what it wants to it. If you want to change the ownership it is much better to change the location that's used since that's done from php.ini which is marked in the RPM as a %config file so it does not get replaced and your changes to that will persist. And the package owning that directory is just a standard part of an RPM, it specifies in the rpm that the directory exists and what its ownership and permissions should be. When yum installs the new copy of the rpm then it makes that directory look like the rpm says it should and your changes are lost. If you change php.ini to point to a different sessions path then that change won't be lost and your own directory will be used and it will keep the permissions/ownership that you give it (assuming that you didn't point it to another directory owned by another rpm!).
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke

Mayfly
Posts: 6
Joined: 2014/10/01 07:29:23

Re: nginx/PHP file permission problems after yum update

Post by Mayfly » 2014/10/01 22:17:30

Agree this is a PHP, not a CentOS, issue; however a quick search reveals that it has tripped up many people unnecessarily (and continues to do so). I am not convinced that the php package needs to own the session directory (as there nothing that needs to be in it initially) and it would cause far fewer problems if the default was to create it if absent. Even if there is an argument that it should own it (maybe for security reasons), then it seems wrong to default to 'apache' ownership when there are many installations using Nginx, Lighttpd etc. My main point here is that a number of people have quite reasonably changed the ownership of /var/lib/php/session etc. for different web servers, so the php package needs to reflect this and not cause inconvenient breakages on updates.

User avatar
TrevorH
Forum Moderator
Posts: 32156
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: nginx/PHP file permission problems after yum update

Post by TrevorH » 2014/10/01 22:41:33

The way that rpm works is that something has to own the directory or it would not exist and then anything that tried to use it would get an error.
CentOS 8 died a premature death at the end of 2021 - migrate to Rocky/Alma/OEL/Springdale ASAP.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are dead, do not use them.
Use the FAQ Luke

Mayfly
Posts: 6
Joined: 2014/10/01 07:29:23

Re: nginx/PHP file permission problems after yum update

Post by Mayfly » 2014/10/02 07:36:12

Fair enough Trevor, but it would be better if the php package only owned '/var/lib/php' (with appropriate general PHP permissions) in the context of rpm, just treating 'session' as a temporary directory to be created on demand in the context of a host PHP process. If I find the time, I will raise this for discussion elsewhere...

User avatar
remirepo
Posts: 439
Joined: 2014/09/21 09:07:12
Location: France
Contact:

Re: nginx/PHP file permission problems after yum update

Post by remirepo » 2014/10/02 08:03:56

@Mayfly see https://bugzilla.redhat.com/show_bug.cgi?id=1146552
I really think this won't change.
Remi's Repository - Forum - Blog

Post Reply