Bug 1200234 - apparmor blocks access of php-fpm to scripts under $HOME/public_html
apparmor blocks access of php-fpm to scripts under $HOME/public_html
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: AppArmor
Leap 15.4
x86-64 openSUSE Leap 15.4
: P5 - None : Normal with 5 votes (vote)
: ---
Assigned To: Christian Boltz
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-05 08:09 UTC by Dirk Weber
Modified: 2022-11-18 02:57 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Weber 2022-06-05 08:09:32 UTC
After the upgrade from Leap 15.3 to Leap 15.4 a php webpage with scripts located under 
$HOME/public_html was no longer working.

The webserver log said:
2022-06-03 17:55:06: (mod_fastcgi.c.451) FastCGI-stderr:Unable to open primary script: /home/user/public_html/project/index.php (Permission denied)


/var/log/audit/audit.log:
type=AVC msg=audit(1654271706.674:267): apparmor="DENIED" operation="open" profile="php-fpm" name="/home/user/public_html/project/index.php" pid=2282 comm="php-fpm" requested_mask="r" denied_mask="r" fsuid=473 ouid=1000


Adding read access to scripts in the directory restored the functionality:
cat /etc/apparmor.d/local/php-fpm 
# Site-specific additions and overrides for 'php-fpm'
  @{HOME}/public_html/**/*.php r,

In the release notes of Leap 15.4 I did not find a hint that public_html is deprecated and which directory should be used instead. 

For Leap 15.3 the access to home directories was restored after applying systemd hardening settings, see bug 1195465.
Therefore I think either the apparmor profile should be updated or the release notes should give a recommendation where to move such projects.
Comment 1 Christian Boltz 2022-08-08 19:50:45 UTC
Sorry for the late answer!

Leap 15.4 comes with AppArmor 3.0.x while 15.3 had AppArmor 2.13.x. This version update also added the php-fpm profile.

There are no plans to deprecate using ~/public_html, but it seems it's used rarely enough that you are the first to hit this issue.
Comment 2 Dirk Weber 2022-08-09 07:53:24 UTC
(In reply to Christian Boltz from comment #1)
> Sorry for the late answer!
> 
> Leap 15.4 comes with AppArmor 3.0.x while 15.3 had AppArmor 2.13.x. This
> version update also added the php-fpm profile.
> 
> There are no plans to deprecate using ~/public_html, but it seems it's used
> rarely enough that you are the first to hit this issue.

No problem, to apply the local fix is easy enough. 
It is great that Leap 15.4 got this AppArmor version update with additional profiles!
Comment 3 H. Zeng 2022-11-18 02:57:25 UTC
I think this might affect the access to not only $HOME/public_html but also /srv/www/htdocs. But I do not know for sure as I do not have the knowledge to tell.

I just upgraded my home server from lp153 to lp154. After that, self-hosted Nextcloud on that server cannot be accessed. It throws out 403 error when access php files but response normally when requesting normal file like .ico file. With information in this bug report, I found that there are messages like following,

`type=AVC msg=audit(1668739699.011:2625): apparmor="DENIED" operation="open" profile="php-fpm" name="/srv/www/htdocs/nextcloud/index.php" pid=559 comm="php-fpm" requested_mask="r" denied_mask="r" fsuid=498 ouid=498`

Hopefully this information is helpful for implement fix to such issue.