0

I had a website running fine on Debian 7 + PHP 5.6, and recently decided to upgrade my Debian installation to Debian 8. Everything went fine, except for a small thing.

While running the same code, seems like PHP is unable to write anything to /tmp/, now I get messages like:

errno: 2,
errstr: "ZipArchive::extractTo(): Permission denied",
errcontext: {
    Filepath: "/tmp/phpVTUxDh",
    Options: null,
    Zip: {
       status: 0,
       statusSys: 0,
       numFiles: 12,
       filename: "/tmp/phpVTUxDh",
       comment: ""
    },
Status: true

Apparently the method extractTo() is having an hard time to write to \tmp is there any specific change on the system that could be causing this? What about the new systemd PrivateTmp thing?

I tried to add PrivateTmp=false to the files:

/etc/systemd/system/multi-user.target.wants/lighttpd.service
/etc/systemd/system/multi-user.target.wants/php5-fpm.service

However, it doesn't seem to do any difference there.

Anyway, any specific reason why \tmp is now always empty? Also,where is the new location of the tmp?

Thank you.

TCB13
  • 1,166
  • 1
  • 14
  • 34

1 Answers1

2

Some things to check:

1) System user you run php-fpm as

2) AppArmor:

cat /sys/module/apparmor/parameters/enabled

if enabled:

grep 'DENIED' /var/log/syslog or /var/log/auditd/auditd.log

3) Permissions on /tmp:

stat /tmp

4) open_basedir in PHP settings:

su -m <php_user> -c "php -i | grep -i open_basedir"

Also, when you modify systemd unit file, try reloading it first: systemctl daemon-reload and then restart php-fpm.

dawud
  • 15,096
  • 3
  • 42
  • 61
steek
  • 61
  • 2
  • 1
    1) `www-data`; 2) NO; 3) `Access: (1777/drwxrwxrwt) Uid: ( 0/ root) Gid: ( 0/ root)`; 4) `open_basedir => no value => no value`; However it's now working, your `systemctl daemon-reload` tip worked fine. ;) So... Even if I run it with `PrivateTmp=true` shouldn't PHP work? Why not? How can I take advantage of PrivateTmp without screwing PHP? Thx – TCB13 May 29 '15 at 20:21
  • In general, PrivateTmp should work just fine. It uses kernel namespaces and overrides /tmp location for a process. I just tested it on centos 7 server as I don't have debian on hand. ` # cat ./systemd-private-ZnEQcW/tmp/data.txt test` – steek May 29 '15 at 21:03
  • 1
    Keep in mind that privatetmp isolate tmp folder for a process and other processes cannot access it data, so 'sharing' via tmp will be impossible. It can also be a bug in systemd debian 8 uses, cannot say much without knowing your code or configuration specifics – steek May 29 '15 at 21:09