nixos/phpfpm: run as non root user for enhanced security

[aanderse]

Motivation for this change

Security.

NOTE: I'm not specifically familiar with linux capabilities beyond the man page so if I'm missing anything in AmbientCapabilities or CapabilitiesBoundingSet please let me know.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

Notify maintainers

cc @

[dasJ]

@aanderse I don't have time to review this rn, but I'll do so later. In the meantime: CapabilityBoundingSet is a set of capabilities the service may have at some point, this includes setuid or setcap gained capabilities.
AmbientCapabilities is a set of capabilities the service will just get when spawned and not running as root

Example: If your service wants to bind a privileged port (< 1024), and is not running as root, you need to add CAP_NET_BIND_SERVICE to CapabilityBoundingSet (because the process will need it at some point) and AmbientCapabilities (because the process is not running as root and would otherwise not have it).

[aanderse]

Having some issues getting this to work properly with socket activation. Will get back to it when I have some time. Any help/testing appreciated.

[florianjacob]

Socket activation, yeah! 🥳

[florianjacob]

Having some issues getting this to work properly with socket activation. Will get back to it when I have some time. Any help/testing appreciated.

How do the problems manifest? From my previous socket activation experience, everything seems to be allright? :/

[aanderse]

How do the problems manifest? From my previous socket activation experience, everything seems to be allright? :/

After circling back to this I have found the problem! Another case of PEBKAC seems to be the culprit, as I can't reproduce any problems now and everything is running smoothly...

Next steps:

• test without using sockets
• have other people test

[flokli]

@aanderse I think we should add some phpfpm-specific tests to nixos/tests (we currently only test this via other modules which enable it indirectly).

Those should include both connection via unix file sockets and tcp.

[aanderse]

@GrahamcOfBorg test phpfpm
@GrahamcOfBorg test limesurvey matomo
@GrahamcOfBorg test mediawiki roundcube
@GrahamcOfBorg test moodle
@GrahamcOfBorg test wordpress
@GrahamcOfBorg test nextcloud.with-postgresql-and-redis

[aanderse]

Sorry for the noise up until this point. I believe this PR is ready for review now. Thanks for the help so far.

[aanderse]

It seems that the correct way to make phpfpm run as a non root user is to use systemd. This PR doesn't really aim to accomplish much beyond running as a non root user. I'm happy to let this sit for a while because I don't think there is a great way to accomplish this without systemd sockets.

[dasJ]

@aanderse I was playing around with php-fpm and I have it kind of running without socket units. While socket units really are the best solution, I'm working around that with the following systemd service options:

User = "kimai";
AmbientCapabilities = "CAP_CHOWN";

This way, php-fpm is allowed to chown the socket to any user. However, this gets really nasty with the permissions of /run/phpfpm, which is why I believe the best way to solve this are socket units.

[aanderse]

@dasJ unfortunately chown could be called on anything by any .php script then. I'm hoping to get back to this after my apache pr is merged.

[Izorkin]

missing
];

[aanderse]

Looks like a change to master merged poorly? Will fix shortly.

[Izorkin]

This options not used

дек 24 19:50:05 NixOS-Test php-fpm[6321]: [NOTICE] [pool test-02] 'user' directive is ignored when FPM is not running as root
дек 24 19:50:05 NixOS-Test php-fpm[6321]: [NOTICE] [pool test-02] 'group' directive is ignored when FPM is not running as root

[Izorkin]

After delete these lines - Service stops starting.
Worked with this lines:

          RuntimeDirectory = "phpfpm-{pool}";
          RuntimeDirectoryMode = "0750";

With RuntimeDirectory = "phpfpm"; and 2 pools the directory /run/phpfpm is recreated. Need use "phpfpm-{pool}";

[Izorkin]

my example patch

diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix
index 31f4ae5445f..9e0177c22c8 100644
--- a/nixos/modules/services/web-servers/phpfpm/default.nix
+++ b/nixos/modules/services/web-servers/phpfpm/default.nix
@@ -5,8 +5,6 @@ with lib;
 let
   cfg = config.services.phpfpm;

-  runtimeDir = "/run/phpfpm";
-
   toStr = value:
     if true == value then "yes"
     else if false == value then "no"
@@ -42,7 +40,7 @@ let
       options = {
         socket = mkOption {
           type = types.str;
-          default = "${runtimeDir}/${name}.sock";
+          default = "/run/phpfpm-${name}/${name}.sock";
           readOnly = true;
           description = ''
             Path to the unix socket file on which to accept FastCGI requests.
@@ -136,8 +134,6 @@ let
           "listen.owner" = poolOpts.user;
           "listen.group" = poolOpts.group;
           "listen.mode" = "0660";
-          "user" = poolOpts.user;
-          "group" = poolOpts.group;
         };
       };
     };
@@ -147,6 +143,7 @@ in {
     (mkRemovedOptionModule [ "services" "phpfpm" "poolConfigs" ] "Use services.phpfpm.pools instead.")
     (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
     (mkRemovedOptionModule [ "services" "phpfpm" "listen" ] "Reference the read-only option config.services.phpfpm.pools.<name>.socket to access the path of your socket.")
+  ];

   options = {
     services.phpfpm = {
@@ -329,6 +326,8 @@ in {
           KillMode = mkIf createSocket "process";
           User = poolOpts.user;
           Group = poolOpts.group;
+          RuntimeDirectory = "phpfpm-${pool}";
+          RuntimeDirectoryMode = "0750";
         };
       }
     ) cfg.pools;

[aanderse]

listen.owner, listen.group, listen.mode, user, and group are all used by the nixos module and will not be used by phpfpm anymore. The reason they remain is documentation. If those values aren't there users can be confused what is happening. Tricky because systemd is taking care of everything that phpfpm used to... but better than leaving users without any idea IMO.

[aanderse]

RuntimeDirectory shouldn't be needed anymore because systemd socket is taking care of directory and socket creation.

[Izorkin]

Options user and group writed to phpfpm configuration:
cat /nix/store/...-phpfpm-test-01.conf

[global]
daemonize = no
error_log = syslog
rlimit_core = unlimited
rlimit_files = 131072


[test-01]
group = nginx
listen = /run/phpfpm-test-01/test-01.sock
listen.group = nginx
listen.mode = 0660
listen.owner = nginx
pm = dynamic
pm.max_children = 20
pm.max_requests = 400
pm.max_spare_servers = 12
pm.min_spare_servers = 2
pm.start_servers = 4
user = nginx

[Ma27]

WIthout having it tested yet, this seems fine to me and could be merged IMHO as soon as the remaining comments are resolved.

[aanderse]

@Ma27 there are still issues unresolved. I haven't had time to figure out exactly how to reproduce them, but this should not be merged as it will break something. I'm hoping to get back to this at some point...

[Izorkin]

Found bug - after change pool.${pool}.user and group service php-fpm not restarted.

[aanderse]

@Izorkin yeah I'm sort of stuck on this for now. It seems our activation scripts are pretty buggy, especially surrounding sockets, so I'm at a point where I think this PR is stuck until that is fixed.

[Izorkin]

@aanderse variant without systemd-socket?

[aanderse]

@aanderse variant without systemd-socket?

The proper solution is to use a systemd socket, so I think we need to fix our activation scripts.

[aanderse]

@Izorkin since you asked on IRC again about letting php-fpm run as a non root user without systemd socket units I thought I should better clarify why that isn't an option that I see working out:

• Scenario 1: utilize something like RuntimeDirectory to provision a directory with appropriate permissions for php-fpm to create a socket in.
  • php-fpm fails with [ERROR] [pool pool1] failed to chown() the socket '/run/php-fpm-pool1/pool1.sock': Operation not permitted (1) when settings."listen.owner" differs from user because php-fpm can't create a socket as a different user.
• Scenario 2: start granting AmbientCapabilities like CAP_CHOWN to the systemd service unit
  • I would ask you consider, but not run, the following script with this scenario: <?php chown('/etc/nixos`); unlink(`/etc/nixos/configuration.nix`); and note how capabilities are passed down from the php-fpm master process to all children processes.

If there is a scenario I have overlooked in which we can run php-fpm as a non root user without utilizing systemd socket units please let me know.

ping @flokli as a reminder of our tentative meeting to discuss switch-to-configuration.pl over the winter break 😉

[Izorkin]

I don't see such problems with this patch:

diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix
index 4d302299f5f..1aa3fc568d0 100644
--- a/nixos/modules/services/web-servers/phpfpm/default.nix
+++ b/nixos/modules/services/web-servers/phpfpm/default.nix
@@ -5,8 +5,6 @@ with lib;
 let
   cfg = config.services.phpfpm;

-  runtimeDir = "/run/phpfpm";
-
   toStr = value:
     if true == value then "yes"
     else if false == value then "no"
@@ -39,20 +37,11 @@ let
       options = {
         socket = mkOption {
           type = types.str;
+          default = "/run/phpfpm-${name}/${name}.sock";
           readOnly = true;
           description = ''
             Path to the unix socket file on which to accept FastCGI requests.
-            <note><para>This option is read-only and managed by NixOS.</para></note>
-          '';
-          example = "${runtimeDir}/<name>.sock";
-        };
-
-        listen = mkOption {
-          type = types.str;
-          default = "";
-          example = "/path/to/unix/socket";
-          description = ''
-            The address on which to accept FastCGI requests.
+            This option is read-only and reflects the value of "opt-services.phpfpm.pools._name_.listen" if a socket path is specified, and otherwise blank.
           '';
         };

@@ -91,11 +80,13 @@ let
         user = mkOption {
           type = types.str;
           description = "User account under which this pool runs.";
+          example = literalExample "config.services.nginx.user";
         };

         group = mkOption {
           type = types.str;
           description = "Group account under which this pool runs.";
+          example = literalExample "config.services.nginx.group";
         };

         settings = mkOption {
@@ -131,14 +122,14 @@ let
       };

       config = {
-        socket = if poolOpts.listen == "" then "${runtimeDir}/${name}.sock" else poolOpts.listen;
         group = mkDefault poolOpts.user;
         phpOptions = mkBefore cfg.phpOptions;

-        settings = mapAttrs (name: mkDefault){
-          listen = poolOpts.socket;
-          user = poolOpts.user;
-          group = poolOpts.group;
+        settings = mapAttrs (name: mkDefault) {
+          "listen" = poolOpts.socket;
+          "listen.owner" = poolOpts.user;
+          "listen.group" = poolOpts.group;
+          "listen.mode" = "0660";
         };
       };
     };
@@ -154,6 +145,11 @@ in {
       settings = mkOption {
         type = with types; attrsOf (oneOf [ str int bool ]);
         default = {};
+        example = literalExample ''
+          {
+            "log_level" = "debug";
+          }
+        '';
         description = ''
           PHP-FPM global directives. Refer to the "List of global php-fpm.conf directives" section of
           <link xlink:href="https://www.php.net/manual/en/install.fpm.configuration.php"/>
@@ -201,21 +197,51 @@ in {
         type = types.attrsOf (types.submodule poolOpts);
         default = {};
         example = literalExample ''
-         {
-           mypool = {
-             user = "php";
-             group = "php";
-             phpPackage = pkgs.php;
-             settings = {
-               "pm" = "dynamic";
-               "pm.max_children" = 75;
-               "pm.start_servers" = 10;
-               "pm.min_spare_servers" = 5;
-               "pm.max_spare_servers" = 20;
-               "pm.max_requests" = 500;
-             };
-           }
-         }'';
+          {
+            web1 = {
+              user = "nginx";
+              group = "nginx";
+              phpPackage = pkgs.php74;
+              settings = {
+                "pm" = "dynamic";
+                "pm.max_children" = 75;
+                "pm.start_servers" = 10;
+                "pm.min_spare_servers" = 5;
+                "pm.max_spare_servers" = 20;
+                "pm.max_requests" = 500;
+              };
+            }
+
+            web2 = {
+              user = "wwwrun";
+              group = "wwwrun";
+              phpPackage = pkgs.php80;
+              settings = {
+                "pm" = "dynamic";
+                "pm.max_children" = 75;
+                "pm.start_servers" = 10;
+                "pm.min_spare_servers" = 5;
+                "pm.max_spare_servers" = 20;
+                "pm.max_requests" = 500;
+              };
+            }
+
+            web3 = {
+              user = "php";
+              group = "php";
+              settings = {
+                "listen" = "9000";
+                "listen.allowed_clients" = "127.0.0.1, 129.0.0.223, 129.0.0.48";
+                "pm" = "dynamic";
+                "pm.max_children" = 75;
+                "pm.start_servers" = 10;
+                "pm.min_spare_servers" = 5;
+                "pm.max_spare_servers" = 20;
+                "pm.max_requests" = 500;
+              };
+            };
+          }
+        '';
         description = ''
           PHP-FPM pools. If no pools are defined, the PHP-FPM
           service is disabled.
@@ -227,9 +253,6 @@ in {
   config = mkIf (cfg.pools != {}) {

     warnings =
-      mapAttrsToList (pool: poolOpts: ''
-        Using config.services.phpfpm.pools.${pool}.listen is deprecated and will become unsupported in a future release. Please reference the read-only option config.services.phpfpm.pools.${pool}.socket to access the path of your socket.
-      '') (filterAttrs (pool: poolOpts: poolOpts.listen != "") cfg.pools) ++
       mapAttrsToList (pool: poolOpts: ''
         Using config.services.phpfpm.pools.${pool}.extraConfig is deprecated and will become unsupported in a future release. Please migrate your configuration to config.services.phpfpm.pools.${pool}.settings.
       '') (filterAttrs (pool: poolOpts: poolOpts.extraConfig != null) cfg.pools) ++
@@ -253,15 +276,19 @@ in {
     };

     systemd.services = mapAttrs' (pool: poolOpts:
+      let
+        cfgFile = fpmCfgFile pool poolOpts;
+        iniFile = phpIni poolOpts;
+        createSocket = poolOpts.socket == poolOpts.settings.listen;
+      in
+
       nameValuePair "phpfpm-${pool}" {
         description = "PHP FastCGI Process Manager service for pool ${pool}";
         after = [ "network.target" ];
         wantedBy = [ "phpfpm.target" ];
         partOf = [ "phpfpm.target" ];
-        serviceConfig = let
-          cfgFile = fpmCfgFile pool poolOpts;
-          iniFile = phpIni poolOpts;
-        in {
+
+        serviceConfig = {
           Slice = "phpfpm.slice";
           PrivateDevices = true;
           PrivateTmp = true;
@@ -272,9 +299,13 @@ in {
           Type = "notify";
           ExecStart = "${poolOpts.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${iniFile}";
           ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
-          RuntimeDirectory = "phpfpm";
-          RuntimeDirectoryPreserve = true; # Relevant when multiple processes are running
           Restart = "always";
+          # User and group
+          User = poolOpts.user;
+          Group = poolOpts.group;
+          # Runtime directory and mode
+          RuntimeDirectory = "phpfpm-${pool}";
+          RuntimeDirectoryMode = "0750";
         };
       }
     ) cfg.pools;

Example configuration:

{ config, pkgs, ... }:
{
  users = {
    users.test-01 = { };
    users.test-02 = { };
    users.test-03 = { };
    groups.test-01 = { members = [ "test-01" ]; };
    groups.test-02 = { members = [ "test-02" ]; };
    groups.test-03 = { members = [ "test-03" ]; };
  };

  services.phpfpm = {
    settings = {
      "log_level" = "notice";
      "syslog.ident" = "php-fpm";
      "emergency_restart_threshold" = "10";
      "emergency_restart_interval" = "60";
      "process_control_timeout" = "10";
      "events.mechanism" = "epoll";
    };
    pools = {
      test-01 = {
        user = "test-01";
        group = "test-01";
        phpPackage = pkgs.php74;
        phpOptions = ''
          allow_url_fopen = On
          max_execution_time = 30
          max_input_time = 30
        '';
        settings = {
          # Pool Process Manager
          "pm" = "dynamic";
          "pm.max_children" = "20";
          "pm.start_servers" = "4";
          "pm.min_spare_servers" = "2";
          "pm.max_spare_servers" = "12";
          "pm.max_requests" = "400";
          # PM Status & ping
          "pm.status_path" = "/status";
          "ping.path" = "/ping";
          # Limits
          "rlimit_core" = "unlimited";
          "rlimit_files" = "131072";
        };
      };
      test-02 = {
        user = "test-02";
        group = "test-02";
        phpPackage = pkgs.php80;
        phpOptions = ''
          allow_url_fopen = On
          max_execution_time = 30
          max_input_time = 30
        '';
        settings = {
          # Pool Process Manager
          "pm" = "dynamic";
          "pm.max_children" = "20";
          "pm.start_servers" = "4";
          "pm.min_spare_servers" = "2";
          "pm.max_spare_servers" = "12";
          "pm.max_requests" = "400";
          # PM Status & ping
          "pm.status_path" = "/status";
          "ping.path" = "/ping";
          # Limits
          "rlimit_core" = "unlimited";
          "rlimit_files" = "131072";
        };
      };
      test-03 = {
        user = "test-03";
        group = "test-03";
        phpPackage = pkgs.php74;
        phpOptions = ''
          allow_url_fopen = On
          max_execution_time = 30
          max_input_time = 30
        '';
        settings = {
          # Listen on port
          "listen" = "9000";
          "listen.allowed_clients" = "127.0.0.1, 129.0.0.223, 129.0.0.48";
          # Pool Process Manager
          "pm" = "dynamic";
          "pm.max_children" = "20";
          "pm.start_servers" = "4";
          "pm.min_spare_servers" = "2";
          "pm.max_spare_servers" = "12";
          "pm.max_requests" = "400";
          # PM Status & ping
          "pm.status_path" = "/status";
          "ping.path" = "/ping";
          # Limits
          "rlimit_core" = "unlimited";
          "rlimit_files" = "131072";
        };
      };
    };
  };
}

Result:

ls -lah /run | grep phpfpm
drwxr-x---  2 test-01 test-01   60 дек 13 21:07 phpfpm-test-01
drwxr-x---  2 test-02 test-02   60 дек 13 21:07 phpfpm-test-02
drwxr-x---  2 test-03 test-03   40 дек 13 21:07 phpfpm-test-03

sudo ls -lah /run/phpfpm-test-01
итого 0
drwxr-x---  2 test-01 test-01  60 дек 13 21:07 .
drwxr-xr-x 26 root    root    740 дек 13 21:07 ..
srw-rw----  1 test-01 test-01   0 дек 13 21:07 test-01.sock

sudo ls -lah /run/phpfpm-test-02
итого 0
drwxr-x---  2 test-02 test-02  60 дек 13 21:07 .
drwxr-xr-x 26 root    root    740 дек 13 21:07 ..
srw-rw----  1 test-02 test-02   0 дек 13 21:07 test-02.sock

sudo ls -lah /run/phpfpm-test-03
итого 0
drwxr-x---  2 test-03 test-03  40 дек 13 21:07 .
drwxr-xr-x 26 root    root    740 дек 13 21:07 ..

sudo ss -lptun | grep php
tcp   LISTEN 0      0                  *:9000             *:*    users:((".php-fpm-wrappe",pid=51677,fd=9),(".php-fpm-wrappe",pid=51676,fd=9),(".php-fpm-wrappe",pid=51675,fd=9),(".php-fpm-wrappe",pid=51674,fd=9),(".php-fpm-wrappe",pid=51669,fd=6))

sudo ps -aux | grep php-fpm | sort -n
test-01   51664  0.0  1.1 441160 22460 ?        Ss   21:07   0:00 php-fpm: master process (/nix/store/hrcdm2slax4cf20sq1il1n8w00k4218v-phpfpm-test-01.conf)
test-01   51670  0.0  0.3 441160  7660 ?        S    21:07   0:00 php-fpm: pool test-01
test-01   51671  0.0  0.3 441160  7660 ?        S    21:07   0:00 php-fpm: pool test-01
test-01   51672  0.0  0.3 441160  7660 ?        S    21:07   0:00 php-fpm: pool test-01
test-01   51673  0.0  0.3 441160  7660 ?        S    21:07   0:00 php-fpm: pool test-01
test-02   51667  0.0  1.1 226120 22908 ?        Ss   21:07   0:00 php-fpm: master process (/nix/store/mnbrrg17ac6sx5in3x4m311f6bnp710h-phpfpm-test-02.conf)
test-02   51678  0.0  0.3 226120  8160 ?        S    21:07   0:00 php-fpm: pool test-02
test-02   51679  0.0  0.3 226120  8160 ?        S    21:07   0:00 php-fpm: pool test-02
test-02   51680  0.0  0.3 226120  8160 ?        S    21:07   0:00 php-fpm: pool test-02
test-02   51681  0.0  0.3 226120  8160 ?        S    21:07   0:00 php-fpm: pool test-02
test-03   51669  0.0  1.1 447092 22668 ?        Ss   21:07   0:00 php-fpm: master process (/nix/store/7zzwg870v29jfyrdpqv74klnzaljmp66-phpfpm-test-03.conf)
test-03   51674  0.0  0.3 447092  7696 ?        S    21:07   0:00 php-fpm: pool test-03
test-03   51675  0.0  0.3 447092  7696 ?        S    21:07   0:00 php-fpm: pool test-03
test-03   51676  0.0  0.3 447092  7696 ?        S    21:07   0:00 php-fpm: pool test-03
test-03   51677  0.0  0.3 447092  7696 ?        S    21:07   0:00 php-fpm: pool test-03

[aanderse]

@Izorkin you must be missing some configuration here because nginx and wwwrun wouldn't have permission to read the sockets created here. Maybe you forgot to add users.users.nginx.extraGroups = [ "test-01" "test-02" ]; to the example you posted?

[Izorkin]

@aanderse yes, need add users.users.nginx.extraGroups = [ "test-01" "test-02" ];

[aanderse]

@Izorkin after playing with systemd sockets and php-fpm again I'm finally convinced we can't ship with systemd socket activation as the default.

I'm closing this PR and will open a new PR which includes your recommendations soon.