Blue Static

PHP File Uploads, FPM, Systemd, and SELinux

Posted on February 4, 2023 at 10:00 UTC, filed under the category Uncategorized. Tags: PHP,

Last year I migrated this (and other sites) off a DreamHost VPS, which is a managed VPS product that does not offer much control over server configuration, to an unmanaged VPS at Vultr running Rocky Linux.

The server runs nginx and PHP using the FastCGI Process Manager. Rocky Linux, being a RedHat/CentOS-based distribution, also runs with SELinux enabled. SELinux greatly improves the security architecture of the system, but it does sometimes create obscure problems that take some time to debug. This post will discuss one such problems.

The issue was that PHP file uploads, such as in the bug tracker, were failing to upload, but there were no obvious error messages in the PHP error log.

When an <input type="file"> is used to submit a HTTP POST request, PHP reads the uploaded stream into a temporary file, and it stores the name of the temporary file in $_FILES['userfile']['tmp_name']. Unless the upload_tmp_dir php.ini variable is specified, the files will be put into the default temporary directory, which in this case was /tmp.

In addition, the systemd unit file for the php-fpm service specifies PrivateTmp=true. This option “sets up a new file system namespace for the executed processes and mounts private /tmp/ and /var/tmp/ directories inside it that are not shared by processes outside of the namespace”. In practice, that means that php-fpm runs with /tmp mounted from something like /tmp/systemd-private-026f628ae5ca469eb0213f719ca482-php-fpm.service-blDUvc outside of the namespace.

The issue is that php-fpm does not have permission to write this location because of SELinux. To fix this, I needed to adjust the system SELinux policy to permit php-fpm to write to that location. To do this, I issued the following command:

sudo semanage fcontext -a '(/var)?/tmp/systemd-private-(.+)-php-fpm\.service-(.*)/tmp(/.*)?' -t httpd_tmp_t

… which specifies a regular expression to the PrivateTmp path to be treated as the httpd_tmp_t SELinux label. That grants php-fpm the authority to write files to that directory, which is mounted at /tmp for the process.

After adjusting the policy, PHP file uploads worked like normal. The main confusing bit was that there were no error messages printed to SELinux log nor the PHP log.

MacGDBp 2.1.2 Released

Posted on May 19, 2022 at 18:35 UTC, filed under the category MacGDBp. Tags: software, MacGDBp,

MacGDBp 2.1.2 is now released containing one bug fix.

You can download MacGDBp 2.1.2 from the product page.

MacGDBp 2.1.1 Released

Posted on February 27, 2022 at 19:00 UTC, filed under the category MacGDBp. Tags: software, MacGDBp,

MacGDBp 2.1.1 is now released. The significant change is that the release is now code-signed and notarized by Apple.

You can download MacGDBp 2.1.1 from the product page.

MacGDBp 2.1 Released

Posted on January 2, 2022 at 07:00 UTC, filed under the category MacGDBp. Tags: software, MacGDBp,

Happy New Year! Today I’m releasing MacGDBp 2.1, which improves compatability with macOS 12 Monterey. The major new change is native support for Apple Silicon. In addition, there are some visual tweaks to work better on macOS 12.

Another notable change is that on newer macOS versions, Apple have stopped shipping a PHP executable by default. MacGDBp previously relied on this to highlight the source code viewer. This release now adds a preference to specify the PHP executable path to enable syntax highlighting.

You can download MacGDBp 2.1 from the product page.

Announcing Mailpopbox

Posted on August 8, 2020 at 14:00 UTC, filed under the category Mailpopbox. Tags: software, Mailpopbox,

I’m excited to announce the first new Blue Static product in 13 years!

Mailpopbox is an email server that helps provide anonymity by accepting email to any account at the domain (i.e. a catch-all wildcard). All messages are delivered to a single mailbox, from which your email client downloads all the messages.

This is version 2.0.1, which you may find surprising for an “initial release.” I’ve been running Mailpopbox myself for more than three years, adding features and fixing bugs. So it has been fairly well-tested in production, and I decided it was finally time to release it.

Mailpopbox is also the first product to use GitHub for issue tracking, rather than Bugdar. I’m doing this as an experiment, so we’ll see how that goes. Pull requests are welcome via GitHub too, though the repository source of truth will remain self-hosted here on Blue Static.

You can download Mailpopbox 2.0.1 and read more on the product page.

« Older Entries