May 2020
1 / 5
May 2020
May 2020
AlexS
May '20

Hello together,

I have the following strange problem:
when a file is uploaded to EGroupware, under the hood the system gives root ownership and the following permisssions in the …files/sqlfs… folder:

drwx------ 2 root root 4096 May 14 08:21 .
drwx------ 100 www-data www-data 4096 May 14 08:21 …
-rw-r–r-- 1 root root 2226 May 14 08:21 3019700
-rw-r–r-- 1 root root 1700 May 14 08:21 3019701
-rw-r–r-- 1 root root 3009 May 14 08:21 3019702
-rw-r–r-- 1 root root 58683 May 14 08:21 3019704

But then when it tries to load the file it gives an error:

PHP message: PHP Warning: fopen(/var/lib/egroupware/default/files/sqlfs/03/01/97/3019718): failed to open stream: Permission denied in /var/www/egroupware/api/src/Vfs/Sqlfs/StreamWrapper.php on line 317
PHP message: #1 /var/www/egroupware/api/src/Vfs/Sqlfs/StreamWrapper.php(317): fopen(’/var/lib/egroup…’, ‘w’)
PHP message: #2 /var/www/egroupware/api/src/Vfs/Links/StreamWrapper.php(355): EGroupware\Api\Vfs\Sqlfs\StreamWrapper->stream_open(‘achelper.links:…’, ‘w’, 0, ‘/apps/infolog/2…’)
PHP message: #3 [internal function]: EGroupware\Api\Vfs\Links\StreamWrapper->stream_open(‘achelper.links:…’, ‘w’, 0, ‘/apps/infolog/2…’)
PHP message: #4 /var/www/egroupware/api/src/Vfs/StreamWrapper.php(317): fopen(‘achelper.links:…’, ‘w’, false, Resource id #1)
PHP message: #5 [internal function]: EGroupware\Api\Vfs\StreamWrapper->stream_open(‘vfs://default/w…’, ‘w’, NULL, NULL)
PHP message: #6 /var/www/egroupware/api/src/WebDAV/Server/Filesystem.php(527): fopen(‘vfs://default/w…’, ‘w’)
PHP message: #7 /var/www/egroupware/api/src/Vfs/WebDAV.php(900): HTTP_WebDAV_Server_Filesystem->PUT(Array)
PHP message: #8 /var/www/egroupware/api/src/WebDAV/Server.php(1842): EGroupware\Api\Vfs\WebDAV->PUT(Array)
PHP message: #9 /var/www/egroupware/api/src/WebDAV/Server.php(304): HTTP_WebDAV_Server->http_PUT()
PHP message: #10 /var/www/egroupware/api/src/Vfs/WebDAV.php(72): HTTP_WebDAV_Server->ServeRequest(NULL)
PHP message: #11 /var/www/egroupware/webdav.php(88): EGroupware\Api\Vfs\WebDAV->ServeRequest()
PHP message: #12 {main}

when I set everything to www-data it can load the file, but new files are again created as root.

Thank for your support and best regards,
Alex

  • created

    May '20

  • last reply

    May '20
  • 4

    replies

  • 1.4k

    views

  • 2

    users

  • 1

    link

RalfBeckerEGroupware GmbH
May '20

The upload creating these files happen via EGroupware?

If that’s the case, it would mean the php-fpm process is running as user root and not as www-data.
Easy to check when you exec into the container and run ps axfu.

Question would then be, are you using our container, or do you modify / enhance it somehow?

If the later is the case, you need to make sure to run php-fpm as www-data.

Ralf

AlexS
May '20

Hello Ralf,
thanks for your reply,

ps axfu.

gives

root@b09e8a3c21f2:/# ps axfu
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 25511 1.5 0.0 18500 3372 pts/1 Ss 10:03 0:00 /bin/bash
root 25531 0.0 0.0 34404 2864 pts/1 R+ 10:03 0:00 _ ps axfu
root 17456 0.0 0.0 18616 3472 pts/0 Ss 04:47 0:00 /bin/bash
root 17549 0.0 0.0 52392 8776 pts/0 S+ 04:55 0:00 _ vim /etc/php/7.3/fpm/pool.d/www.conf
root 1 0.0 0.1 1228172 38452 ? Ss May13 0:28 php-fpm: master process (/etc/php/7.3/fpm/php-fpm.conf)
root 79 0.0 0.0 28356 2668 ? Ss May13 0:00 /usr/sbin/cron
www-data 25527 45.0 0.2 1320796 70032 ? R 10:03 0:03 php-fpm: pool www
www-data 25528 13.4 0.1 1248304 58832 ? S 10:03 0:00 php-fpm: pool www
www-data 25530 18.8 0.1 1241980 54992 ? R 10:03 0:00 php-fpm: pool www

so I understand that php-fpm master process runs as root and the other php-fpm processes run as www-data, is this correct?

I have done only minor changes to the docker file, but based on egroupware/development:7.3 :

FROM egroupware/development:7.3

RUN apt-get update &&
DEBIAN_FRONTEND=noninteractive apt-get install -y php-mailparse php7.3-soap php-solr php7.3-intl freetds-common freetds-bin php7.3-sybase &&
# Configure freetds to connect with softone server (8 spaces in the second and the following lines)
sed -i -e “$a[vswpb1]\n host=10.255.255.121\n instance = MODELS1_EL\n tds version = 7.1\n client charset = GREEK” /etc/freetds/freetds.conf &&
# Configure Crontab to run async servises in egroupware
echo “/3 * * * * /usr/bin/php -q -d memory_limit=-1 /var/www/egroupware/api/asyncservices.php default" >> temp_cron &&
crontab temp_cron &&
rm temp_cron &&
# Increase cache size for our installation
grep “apc.shm_size” /etc/php/7.3/fpm/conf.d/20-apcu.ini >/dev/null &&
sed -e "s/^;?apc.shm_size./apc.shm_size=512M/g”
-i /etc/php/7.3/fpm/conf.d/20-apcu.ini ||
echo “apc.shm_size=512M” >> /etc/php/7.3/fpm/conf.d/20-apcu.ini &&
#Increase allowed memory for each script
sed -e ‘s/^;?php_admin_value[memory_limit].*/php_admin_value[memory_limit] = 2000M/’ -i /etc/php/7.3/fpm/pool.d/www.conf

RalfBeckerEGroupware GmbH
May '20

Yes, that’s how it should be.

That runs cron jobs as user root, if the files are created by a cron-job, they have the wrong owner.

Better would be to patch the higher frequency in our existing cron file:

RUN sed -e 's|*/5|*/3|g' -i /etc/cron.d/egroupware

Some of the other stuff in your changed container can also be done via environment variables in your docker-compose.yml:

Ralf

AlexS
May '20

Hello Ralf,
yes this explains it, I will make the adjustments.
Thank you again!
BR
Alex