Permissions issue: why is user nobody needed in my second php-fpm pool?

Question

I am running FreeBSD 10.2 with a custom-compiled Apache 2.4.17 with php-fpm. The default pool ([www], almost a stock php-fpm setup) ran on user/group nobody/nobody. Apache runs on user/group daemon/daemon. It works fine connecting to a socket with a few different sites all running in the stock pool. They are low-priority sites using PHP for things like displaying the time.

In the long run, I want to work out some better privilege separation. I created a pool for a roundcube installation on a separate vhost owned by user rcuser, group rcuser (basically a regular FreeBSD shell account). By habit, I park web vhosts in /usr/vhosts/, so this site goes to /usr/vhosts/webmail/ with the application itself stored in /usr/vhosts/webmail/htdocs/. The whole webmail tree belongs to the user and group rcuser. Directories in this tree all have 750 and files have 640 permissions. The pool looks like this:

[rcuser]
user = rcuser
group = rcuser
listen = /var/run/php5-fpm-rcuser.sock
listen.owner = rcuser
listen.group = rcuser
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.min_spare_servers = 1
pm.start_servers = 2
pm.max_spare_servers = 3

So that Apache could access it, I created an ACL on each file and directory giving daemon equivalent access to /usr/vhosts/webmail/ and its subdirectories. Basically, that meant doing find /usr/vhosts/webmail/ -type d -exec setfacl -m user:daemon:rwx {} \; and find webmail/ -type f -exec setfacl -m user:daemon:rw {} \; Figured that would work, but it didn't work, giving me a file not found error when I tried to load Roundcube.

The next thing I tried was giving the other permission bit read access to files and rx access to directories. That worked. Roundcube worked great, but this obviously means other users can read files in it and find sensitive information like MySQL passwords. Not really want I want.

So, the next thing I did was find /usr/vhosts/webmail/ -exec chmod o-rwx {} \; to remove the liberal permissions but keep the original rcuser permissions and daemon ACLs intact. for other users and try to work out where the problem is. After some dicking around, I remembered the first pool I created runs as user nobody and did find /usr/vhosts/webmail/ -exec -exec setfacl -m user:nobody:r-x {} \;. That worked. For some reason, php-fpm wants user nobody to have read and execute access in this second pool's directories.

So, ps -maux reveals php-fpm is running this pool under the right user rcuser. This isn't the biggest problem in the world for me, but I'm not really sure what security implications it might have when I start deploying this php-fpm setup across clients' sites. Plus, an extra and seemingly extraneous ACL to worry about is an annoyance.

Is there anything I can do to make user nobody not need this ACL?

Answer 1

Oh, well, glad I wrote that all out because I think it inspired an answer. The default pool used TCP and I wanted my new one to use UNIX domain sockets. So, I had a minor syntax problem. I accidentally included some extra crap in the proxy setting line in Apache.

ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/var/run/php5-fpm-rcuser.sock|fcgi://localhost:9000/usr/vhosts/webmail/htdocs/$1"

should have been

ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/var/run/php5-fpm-rcuser.sock|fcgi://localhost/usr/vhosts/webmail/htdocs/"

It was connecting to the first pool, even though the second pool was running properly. That :9000 port designation and the $1 part at the end of the line had to go to.

So, I fixed Apache and ran:

find webmail/ -exec setfacl -b {} \; to clear ACL permissions and then ran find webmail/ -type d -exec setfacl -m user:daemon:rwx {} \;; find webmail/ -type f -exec setfacl -m user:daemon:rw {} \; to set them how I wanted them all along.

The setup seems like it could be nice, so hope this helps someone wrestling with Apache vhost permissions someday.

My long-term goal is to no longer need to run an FTPS server or use php_admin_value open_basedir