Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


PHP7.2, opcache file cache & multiple php-fpm pool owners
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

PHP7.2, opcache file cache & multiple php-fpm pool owners

Opcache file caching doesn't work with two or more php-fpm pools with different owners.

Set opcache.file_cache=/tmp/opcache and clear it out if necessary.

The first site visited will trigger PHP to create a directory:

/tmp/opcache/138dc3bbfb6772d00f2ba10a33e00818

... owned by that pool's user and chmod 700. (The hash is based on the php version and some other stuff).

After that, other pools (different users) can't write to it. So no file caching.

Attempts to change the file cache directory in the pool config, such as:

php_value[opcache.file_cache] = /tmp/opcache-1

or

php_admin_value[opcache.file_cache] = /tmp/opcache-1

... cause a 'bad gateway' error, regardless of ownership/permissions on the directory.

Any ideas?

Comments

  • You are referring to a particular PHP version. If this doesn't happen in a previous version, probably should be reported as some kind of bug?

  • Generally you would be need to have separate master PHP-FPM processes with separate PHP-FPM service control files rather than trying to get one default master PHP-FPM process and service control file handling separate PHP-FPM owned users. Which means as you add more PHP-FPM pools with more master PHP-FPM processes, you'll be using more memory as you add more.

  • sleddogsleddog Member
    edited February 2018

    jetchirag said: Is opcache.use_cwd set to true?

    It defaults to true, so yes.

    As I understand it, that's a method to have separate opcaches per domain, as @eva2000 suggests below. I don't want separate opcaches, I just want the opcache file cache (introduced in php7) to be writable by all pools.

    yomero said: You are referring to a particular PHP version. If this doesn't happen in a previous version, probably should be reported as some kind of bug?

    I'm using php 7.2.2, and it's the first time I've experimented with the opcache file cache.

    I expected that:

    php_value[opcache.file_cache] = /tmp/opcache-1

    in the pool config would work, provided that the dir existed and had the correct permissions. It doesn't. I don't know at this point whether that's a bug or intended behaviour.

    eva2000 said: Generally you would be need to have separate master PHP-FPM processes with separate PHP-FPM service control files...

    Again, I'm not trying to have separate opaches, just a file cache that's writable by all php users. The problem is basically a simple file ownership/permissions issue.

    My sites are in user home directories, each in a separate php pool, e.g.:

    • /home/user1/... (php user: www-user1)
    • /home/user2/... (php user: www-user2)

    Starting fresh, if I visit user1's website then a 'home' directory is created in the file cache, owned by www-user1 and chmod 700.

    If I then visit user2's website, file caching does not happen, as the 'home' directory in the file cache is not writable by www-user2.

    I can work around this with a script to initialize the cache directories:

    https://pastebin.com/FDyhnVKc

    Then I have what I want :)

    https://pastebin.com/UWw0By9J

  • You shouldn't have a single cache for all users - that allows cache poisoning.

    In case you want that, just run all php-fpm pools under same user :-) It's just as secure as using a shared file cache between multiple users.

  • Zerpy said: You shouldn't have a single cache for all users - that allows cache poisoning.

    In case you want that, just run all php-fpm pools under same user :-) It's just as secure as using a shared file cache between multiple users.

    I don't think so. Running all pools as the same user provides the same filesystem access for all pools.

    A poisoned cache is one thing, a poisoned filesystem is something else.

    There's a few things that can be done to lessen the likelihood of cache poisoning. Have a look through http://gosecure.net/2016/04/27/binary-webshell-through-opcache-in-php-7/

Sign In or Register to comment.