Topic: php 7.4 permission problem

Hi:
   I enable php:remi-7.4 module at centos 8.3, so I can install some php packages. I am using apache with php.
after installation, I create a test "a.php" at /var/www/html with owner "root:root", permission "0700". but I am surprised that
I can access that file via browser. with normal RedHat rpms (like centos 8.3 with php 7.2 default module), the httpd/php daemon runs as user "apache" and can not access that file. I don't know if this is the normal behavior?

Re: php 7.4 permission problem

Sorry, but I cannot reproduce

See https://server.famillecollet.com/a.php

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: php 7.4 permission problem

Remi wrote:

Sorry, but I cannot reproduce

See https://server.famillecollet.com/a.php

thanks for the quick reply. then I think I need to install a clean system to test.
I will let you know the result tomorrow.

Re: php 7.4 permission problem

tbsky wrote:
Remi wrote:

Sorry, but I cannot reproduce

thanks for the quick reply. then I think I need to install a clean system to test.
I will let you know the result tomorrow.

doing further testing and find behavior below:

create a.php with root and "700"  =>  browser permission deny
chmod 755 a.php => now browser can access it
chmod 700 a.php => browser still can access it. this is the problem I got. not the same behavior as centos 8.3 + centos-php 7.2
systemctl restart httpd => browser still can access it.
systemctl restart php-fpm => now browser permission deny.

so it seems the behavior caused by php-fpm?

Re: php 7.4 permission problem

looks like a cache issuen check opcache configuration (opcache.validate_permission, opcache.revalidate_freq...)

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: php 7.4 permission problem

Remi wrote:

looks like a cache issuen check opcache configuration (opcache.validate_permission, opcache.revalidate_freq...)

thanks for the hint. I didn't aware there is something like that. there is no such settings at centos-php-7.2. I didn't modify php default except timezone. I wait for 10 minutes but the cache is still there. it seems not secure to cache so long.

grep -r  opcache.validate /etc | grep validate
/etc/php-zts.d/10-opcache.ini:;opcache.validate_timestamps=1
/etc/php-zts.d/10-opcache.ini:;opcache.validate_permission=0
/etc/php-zts.d/10-opcache.ini:;opcache.validate_root=0
/etc/php.d/10-opcache.ini:;opcache.validate_timestamps=1
/etc/php.d/10-opcache.ini:;opcache.validate_permission=0
/etc/php.d/10-opcache.ini:;opcache.validate_root=0

Re: php 7.4 permission problem

Same settings exists in all PHP versions since opcache exists, including official 7.2, 7.3 and 7.4 stream in CentOS 8 or alternative stream from my repo

opcache is there to improve performance, and checking permissions on each request is terribly bad

Without opcache, your issue disappear

With opcache, I can reproduce this behavior with all PHP versions (tested with 7.0, 7.1, 7.2, 7.3, 7.4 and 8.0...)

opcache.validate_permission force opcache to check permission on each request, but decrease perf, and is a workaround to your issue

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: php 7.4 permission problem

Remi wrote:

Same settings exists in all PHP versions since opcache exists, including official 7.2, 7.3 and 7.4 stream in CentOS 8 or alternative stream from my repo

opcache is there to improve performance, and checking permissions on each request is terribly bad

Without opcache, your issue disappear

With opcache, I can reproduce this behavior with all PHP versions (tested with 7.0, 7.1, 7.2, 7.3, 7.4 and 8.0...)

opcache.validate_permission force opcache to check permission on each request, but decrease perf, and is a workaround to your issue


it seems cache forever and not secure. maybe the default settings should be secure? centos 8.3 + centos-7.2-php is secure and didn't have this issue.

Re: php 7.4 permission problem

> centos 8.3 + centos-7.2-php is secure and didn't have this issue.

Sorry, but I don't think so.
You have exactly the same behavior with 7.2.24 from the official stream when php-opcache is installed.

This is an upstream (PHP) behavior


P.S. feel free to open an issue on https://bugs.php.net/ is your think this is wrong

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

10 (edited by tbsky 2020-12-22 16:12:52)

Re: php 7.4 permission problem

Remi wrote:

> centos 8.3 + centos-7.2-php is secure and didn't have this issue.

Sorry, but I don't think so.
You have exactly the same behavior with 7.2.24 from the official stream when php-opcache is installed.

This is an upstream (PHP) behavior


P.S. feel free to open an issue on https://bugs.php.net/ is your think this is wrong

you are right. I don't know there is a package named "php-opcache". it must auto installed with other php dependency.
I remove that package now and the system behavior is correct.
thanks a lot for your help!!