Bug 1095239

Summary: After updating php to 5.5.12 version stop working accesing from nginx to unix socket
Product: [Fedora] Fedora Reporter: Mikhail <mikhail.v.gavrilov>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: fedora, jorton, mikhail.v.gavrilov, rcollet
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-07 12:12:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mikhail 2014-05-07 10:42:02 UTC 
Description of problem:
After updating php to 5.5.12 version stop working accesing from nginx to unix socket

#content of file /etc/php-fpm.d/mikhail.conf                                                                                                              
[crmdev]
listen = /var/run/php-fpm/crmdev.sock
user = mikhail
group = mikhail
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
;slowlog = /var/www/mikhail/logs/php-fpm-slow.log
;php_admin_value[error_log] = /var/www/mikhail/logs/php-fpm-error.log
php_admin_flag[log_errors] = on
; Set session path to a directory owned by process user
php_value[session.save_handler] = files
php_value[session.save_path]    = /tmp
php_value[soap.wsdl_cache_dir]  = /tmp

#content of file /etc/nginx/conf.d/localhost.conf                                                                                                           
server {
        if ($request_method !~ ^(GET|POST)$ ) {
                return 200;
        }

    listen	80;
    server_name localhost;
    root        /home/mikhail/www;
    error_log   /home/mikhail/logs/nginx_error.log;
    access_log  /home/mikhail/logs/nginx_access.log;

    location / {
        index   index.php index.html index.htm;
    }
    #pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    location ~ \.php$ {
        fastcgi_pass    unix:/var/run/php-fpm/crmdev.sock;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }
}
Comment 1 Mikhail 2014-05-07 10:49:11 UTC 
# ss -lp | grep php
u_str  LISTEN     0      128    /var/run/php-fpm/crmdev.sock 705591                * 0       users:(("php-fpm",pid=14178,fd=0),("php-fpm",pid=14177,fd=0),("php-fpm",pid=14176,fd=0),("php-fpm",pid=14175,fd=0),("php-fpm",pid=14174,fd=0),("php-fpm",pid=14173,fd=8))
Comment 2 Remi Collet 2014-05-07 11:46:41 UTC 
To fix CVE-2014-0185, the Unix socket default permission have change (from 0666 to 0660).

You have to set it using "listen.mode" (or change nginx / fpm user / group).


Notice : 
- default configuration use network socket; so is not affected
- explained on https://admin.fedoraproject.org/updates/FEDORA-2014-5960
Comment 3 Mikhail 2014-05-07 12:10:20 UTC 
I add
listen.owner = nginx
listen.group = nginx
in file /etc/php-fpm.d/mikhail.conf and it solve this problem