1

I have a FreeBSD 11 machine running latest Nginx and PHP-FPM in chrooted mode. Everything worked fine, until I added start_session(); to index.php.

This is when I received the following error:

Fatal error: Uncaught Exception: Cannot open source device in /index.php:5 Stack trace: #0 /index.php(5): session_start() #1 {main} Next Exception: Cannot open source device in /index.php:5 Stack trace: #0 /index.php(5): session_start() #1 {main} Next Exception: Cannot open source device in /index.php:5 Stack trace: #0 /index.php(5): session_start() #1 {main} Next Exception: Cannot open source device in /index.php:5 Stack trace: #0 /index.php(5): session_start() #1 {main} Next Error: Failed to create session ID: files (path: /home/project/customers/john/tmp) in /index.php:5 Stack trace: #0 /index.php(5): session_start() #1 {main} thrown in /index.php on line 5

Please advice.

nginx.conf
    server {
        listen      443 ssl http2;

        add_header  Cache-Control no-cache;

        ssl on;
        ssl_certificate     /home/project/ssl/project.chain;
        ssl_certificate_key /home/project/ssl/project.key;
        ssl_prefer_server_ciphers on;

        server_name     john.project.net;
        error_log       /home/project/logs/john-error.log;
        access_log      /home/project/logs/john-access.log;

        root            /home/project/customers/john;
        index           index.php;

        location / { deny all; }

        location = / { }
        location = /index.php {
            include         fastcgi_params;
            fastcgi_index   index.php;
            fastcgi_param   SCRIPT_FILENAME $fastcgi_script_name;
            fastcgi_pass    unix:/var/run/php-fpm-project-john.sock;
            try_files       $uri =404;
        }
        location ~ \.(txt|css|map|jpg|png|gif|ico|htc|otf|eot|svg|ttf|woff|woff2|js|ogg)$ { }
    }

php-fpm.conf
    [project-john]
    prefix = /home/project/customers/john
    user = www
    group = www
    listen = /var/run/php-fpm-project-john.sock
    listen.owner = www
    listen.group = www
    listen.mode = 0660
    pm = dynamic
    pm.max_children = 5
    pm.start_servers = 2
    pm.min_spare_servers = 1
    pm.max_spare_servers = 3
    chroot = $prefix
    chdir = /
    php_admin_value[session.save_path] = /home/project/customers/john/tmp ; Writable

index.php
<?php

    ini_set('display_errors', 1);
    echo "test";
    session_start();

?>
Alex G
  • 207
  • 1
  • 2
  • 14

2 Answers2

1

Your php_admin_value[session.save_path] must be relative to the chroot path. (After the chroot, it will just need to appear as /tmp). Right now it's looking for that value within the process root, which results in it looking for a "real path" of /home/project/customers/john/home/project/customers/john/tmp, which is unlikely to exist.

David
  • 1,012
  • 6
  • 9
  • It's actually not that, there is a different error for non-existent path for sessions. The issue was `/dev/urandom` not being accessible. – Alex G Jan 18 '18 at 03:42
1

PHP sessions rely on /dev/urandom by default to generate the random id, which is of course not accessible in PHP-FPM chrooted mode. There are hundreds of other OS dependencies, which my projects needs to function correctly.

At this point I'm dropping any possible chance of using PHP-FPM's chrooted mode.

But if someone is still interested, you need to mount: /dev/urandom to /home/project/customers/john/dev/urandom.

https://www.vennedey.net/resources/3-Secure-webspaces-with-NGINX-PHP-FPM-chroots-and-Lets-Encrypt

Alex G
  • 207
  • 1
  • 2
  • 14